CSOs  share  metrics  for  proving  physical  security’s  value 

PAGE  34 


THE  RESOURCE  FOR  SECURIT 


UNWELCOME 

DIVERSIONS 

Two  experts  tell 
what  it  takes  to 
combat  product 
diversion 

PAGE  42 


SECURE  FROM 
THE  START 

Forward-thinking 
companies  set  up 
building  permits 
for  IT  projects 

PAGE  52 


Five  things  every  CSO 
needs  to  know  about 
chief  privacy  officers. 

Thing  number  one: 
They’re  just  like  you- 
underfunded  and 
misunderstood 


SECURITY 

MEETS 


PRIVACY 


ebruary  2005  $9.00 
fflfflcsoonline.com 


PAGE  26 


■ 


1111 


SyrriSntft  ahd  the  Symantec  logo  are  U.S.  registered  trademarks  of  Symantec  Corporation.  Symantec  Gateway  Security  is  a  trademark  of  Symantec  Corporation.  Copyright  ©  2004  Symantec  Corporation.  All  rights  reserved 


a. , 


mm 


million  square  miles? 


It’s  a  big  world  out  there,  and  your  remote  offices  can  be  all  over  it.  But  no  matter 
where  they  are,  you  can  keep  them  secure  with  the  Symantec™  Gateway  Security 
5400  Series  and  Symantec™  Gateway  Security  400  Series  appliances.  Install  the 
5400  Series  in  your  main  office  and  the  400  Series  in  your  smaller  locations  and 
you’ll  have  comprehensive  gateway  protection  wherever  you  need  it.  To  learn  how  to 
protect  your  company’s  critical  information,  go  to  http://ses.symantec.com/appliances 


■ 


w- 


How  did  80%  of  information 
become  100%  useless? 

What  if  information  could  find  its  way  in  and  out  of 
databases,  ail  on  its  very  own?  With  the  Adobe 
Intelligent  Document  Platform,  it's  possible.  When  you 
combine  the  logic  of  XML  and  Adobe  PDF,  suddenly 
documents  are  smarter.  Unstructured  content  unifies  with 
structured  data.  And  information  intuitively  travels  where 
it's  needed,  safely  and  securely.  It's  simplicity  at  work. 
The  Intelligent  Document  Platform.  Better  by  Adobe; 


See  how  smarter  documents  are  working  for  other  companies  at  adobe.com/idp. 


Adobe 


Adobe8  Intelligent  Document  Platform 


:  /•  'm  v  a 


MAX  BRENTON,  HEAD  OF 
CORPORATE  SECURITY, 
ROCHE  DIAGNOSTICS 
PAGE  42 


17  Briefing 


COLUMNS 

24  Reporting, 

Regulating  and  Merging 

SECURITY  COUNSEL  George  Miserendino, 
owner  and  president  of  Triton  Security 
Solutions,  answers  readers’  questions  about 
securing  utilities. 

56  Audit  Agitation 

CSO  UNDERCOVER  What  do  you  do  when  your 
customers  want  you  to  do  an  independent 
security  audit— and  your  CEO  doesn’t? 


Cover  photo  by 
Danuta  Otfinowski 


26  cover  story  Five  Things  Eveiy 
CSO  Needs  to  Know  About  the  Chief 
Privacy  Officer 

PRIVACY  What  does  privacy  have  to  do  with  security?  Plenty. 
From  the  federal  government  to  the  private  sector,  CPOs  are 
emerging  as  important  players.  It’s  essential  that  CSOs  cultivate 
common  ground  with  privacy  executives.  By  Sarah  D.  Scalet 

34  Where  the  Metrics  Are 

METRICS  CSOs  count  on  physical  security  metrics  to  evaluate 
their  organizations’  performance  and  to  communicate  security’s 
value  to  other  business  executives.  By  Thomas  Wailgum 

42  Unwelcome  Diversions 

PRODUCT  DIVERSION  It  costs  manufacturers  millions— but  often 
isn’t  technically  illegal.  CSOs  say  combating  diversion  involves 
equal  parts  investigation  and  corporate  politicking. 

52  Building  Code 

APPLICATION  DEVELOPMENT  Everyone  knows  it’s  cheaper  and 
better  to  build  in  security  from  the  start  of  a  technology  project. 
Following  the  federal  government’s  lead,  forward-thinking 
companies  have  formalized  the  process.  Here’s  why  you  should 
too.  By  Lauren  Gibbons  Paul 


The  Super  Bowl’s  defensive  stance;  Still  armed 
and  flying;  Beaming  with  health;  The  Security 
Blotter;  Border  drills;  How  AOL  earns  cus¬ 
tomer  trust 

22  Wonk 

A  catch  in  Check  21:  As  banks  move  away 
from  paper  checks,  some  observers  wonder  if 
“substitute  checks”  aren’t  opening  new  doors 
for  fraud.  By  Al  Sacco 

59  Machine  Shop 

Even  with  security  built  in  from  the  get-go, 
Bluetooth  has  problems.  By  Simson  Garfinkel 
TOOLBOX  Strong  authentication 

64  Debriefing 

QUIZ  Sticky  fingers  and 
radials 


N  EVERY  ISSUE  6  CSOonline.com 


Letter  from  the  Editor  12  Letters 


4  www.csoonline.com  February  2005 


ilfeHfli 


Even  if  everyone 
knew  about  the 
problem,  would 
anyone  know  the 
solution? 


As  every  aspect  of  business 
migrates  to  the  Web,  sensitive 
information  once  sheltered  is 
now  exposed.  Because  browser- 
based  applications  pass  through 
the  entire  security  perimeter. 

If  that  doesn't  wrinkle  your 
brow,  in  a  recent  study  70  percent 
of  companies  reported  security 
intrusions,  with  an  average  of 
136  annually. 

The  only  real  answer  is  a  solu¬ 
tion  that  knows  exactly  what 
your  application's  traffic  should 
look  like,  and  blocks  everything 
else.  A  comprehensive  solution 
that  gives  you  complete  control 
over  who  gets  access  from  where 
and  when,  that  can  actually 
identify  and  filter  application- 
level  cyber  attacks. 

It's  application  traffic  man¬ 
agement  taken  to  the  next  level. 
Something  that  could  only  have 
come  from  a  deep  understanding 
of  both  the  network  and  the 
application.  Which  is  why  only  F5 
can  offer  it.  For  details  on  this 
revolutionary  architecture,  includ¬ 
ing  our  Traff icShield™  Application 
Firewall  and  FirePass®  SSL  VPN, 
visit  www.f5.com/csobank  or  call 
866-563-2308. 


PLEASE  NOTE: 


HACKERS  TRIED 
TO  ACCESS  OUR  ACCOUNTS 
126  TIMES  LAST  YEAR 
(THAT  WE  KNOW  OF) 


msm 


m 


29% 

Lax& 

incompetent 


n  U.S. 


22% 


Aggressive 
&  invasive 


49% 

A  compromise 
between  safety 
&  convenience 


BASED  ON  100  RESPONSES.  CSO  SECURITY  CHECK 
IS  AN  OPEN  WEEKLY  POLL  ON  WWW.CSOONLINE.COM 


What  Say  You? 

Twice  a  month,  Web  Writer  Jon 
Surmacz  raises  security  issues  that 
warrant  your  feedback.  Read  his 
Web-only  column,  and  then  tell  us 
what  you  think. 
www.csoonline.com/talkback 

Something  for  Nothing 

CSO  newsletters  are  delivered  right 
to  your  inbox  for  free.  Sign  up  for 
newsletters  on  CSO  careers,  leader¬ 
ship  and  technology,  or  just  to  stay  in 
tune  with  the  most  recent  updates  to 
CSOonline.com.  What  are  you  waiting 
for?  Sign  up  now. 
www.csoonline.com/newsletters 

Research  Center 
Spotlight:  Risk 

Learn  strategies  and  tactics  for  man¬ 
aging  risk  in  your  organization.  Read 
articles  on  due  diligence,  global  risk, 
ROI  and  other  risk  management  top¬ 
ics.  You’ll  also  find  links  to  other  Web 
resources  and  tools  to  help  you  meas¬ 
ure  and  analyze  your  risks. 
www.csoonline.com/research/risk 

Analyze  This 

We’ve  gathered  research  from  the 
leading  security  experts  in  the  analyst 
community  and  put  it  in  one  place. 
Read  a  new  report  each  week. 

www.csoonline.com/analyst 

Safety  in  Numbers 

Did  you  know  that  revenue  for  anti¬ 
spyware  software  companies  is 
expected  to  climb  from  $12  million  in 
2003  to  $305  million  in  2008?  Get 
more  numbers  in  our  Metrics  section. 
www.csoonline.com/metrics 


Make  the  Most  of 
Your  Metrics 

In  “Where  the  Metrics  Are”  (Page  34), 
Staff  Writer  Thomas  Wailgum  tells  us 
how  Starbucks,  Nestle  and  others  derive 
and  collect  security  metrics.  To  learn 
how  to  make  those  num¬ 
bers  sing  in  a  presenta¬ 
tion,  read  “Build  Business 
Cases  Like  Steel  Pistons!” 
from  the  December 
2004  issue.  Go  to 
www.csoonline.com/printlinks 


JOHN  HEDLEY, 
HEAD  OF  GROUP 
SECURITY  FOR 
NESTLE,  SAYS  THAT 
PREPARING  FOR 
DISASTERS  CAN 


"Convincing  business  of  the 

value  of  IT  security  is  less  of 
an  image  issue  and  more  of 

a  credibility  issue.” 

-HANNES  LUBICH,  I.T.  SECURITY  STRATEGIST,  COMPUTER  ASSOCIATES, 

FROM  “WHAT'S  MUDDLING  YOUR  MESSAGE?”  WWW.CSOONLINE.COM/TALKBACK/120604.HTML 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Editor  Derek  Slater 
Managing  Editor  Michael  Goldberg 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors 

Scott  Berinato,  Todd  Datz,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Departments  Editor  Kathleen  S.  Carr 

Contributors  Daintry  Duffy,  Grant  Gross,  Lauren 
Gibbons  Paul,  Paul  Roberts,  Thomas  Wailgum 

COPY  TEAM 

Senior  Copy  Editors 
Diann  Daniel,  Emily  S.  Henderson 

Copy  Editor  Cathy  Mallen 
Assoc.  Copy  Editor  Daniel  John  Robinson 
Editorial  Assistants 

Daniel  J.  Horgan,  Margaret  Locher,  Al  Sacco 

RESEARCH  &  PROJECTS 

Research  Editor  Lorraine  Cosgrove  Ware 
Editorial  Resource  Manager  Carol  Zarrow 
Associate  Research  Analyst  Julie  Hanson 
Special  Projects  Manager  Lynne  Z.  Rigolini 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
E-Commerce  Manager  Andrew  Burrell 

Online  Producers  Todd  Borglund, 
Shannon  Macdonald,  Jen  McCarthy 

Online  Production  Specialist  Rupal  Patel 
Designer  Graham  White 

INFORMATION  SYSTEMS 

Director  of  Information  Technology  Dagmar  Eiben 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists 
Michael  Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 

Senior  Web  Developers 
Sean  McCracken,  Ellen  Morey 

Associate  Web  Developer  Anthony  Servideo 

CHIEF  SECURITY  OFFICER 
CXO  MEDIA  INC. /IDG 

Robert  Hayes 


CXO  'MEDIA  INC. 


INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 


CEO  Pat  Kenealy 

#BPA 


woiioiio e 


6  www.csoonline.com  February  2005 


©  CXO  Media  Inc. 


And  our  customers  couldn’t  be  happier.  Scott’s  a  hacker  and  it’s  our  job  to  make 
his  job  impossible.  We’re  Sophos,  a  global  leader  in  network  security. 

Over  97,000  viruses  want  inside  your  network.  The  number  is  growing -and  so  is 
the  severity  of  attacks.  Sophos  knows  how  to  stop  them.  Join  the  25  million  business 
users  in  150  countries  who  already  depend  on  our  proven  anti-virus,  anti-spam  and 
email  policy  enforcement  solutions  and  acclaimed  customer  support  to  protect  against 
multiple  evolving  threats. 


hates  us. 


FREE  resources  and  the  chance  to  WIN  a  Dell™  Pocket  DJ  at  stopthethreat.com 

Learn  more  about  the  power  of  consolidated  multi-tiered  network  protection.  Download 
free  white  papers,  analyst  reports  and  webcasts  from  independent  expert  sources 
at  stopthethreat.com.  While  you’re  there,  enter  for  your  chance  to  win  one  of  two 
Dell™  Pocket  DJs  ($199  value  each). 


SOPHOS 


anti-virus,  anti-spam  and  email  policy  for  business 


Free  downloads  and  the  chance  to  win  at  stopthethreat.com  ENTER  PIN:  tgiisl 


The  Right  Numbers 

At  a  conference  many  years  ago,  during  an  era  when  CIOs 
were  just  beginning  to  worship  the  god  of  Metrics,  I  heard 
a  speaker  offer  the  atheist  viewpoint  that  “if  you  can’t  tell 


whether  IT  is  bringing  value  to  your  business,  you’ve  got  way  bigger  problems 
than  any  program  of  metrics  can  solve.” 

That  statement  resonated  with  my  contrarian  instincts.  CIOs  were  then  get¬ 
ting  themselves  in  a  twist,  developing  highly  introspective  measurement  initia¬ 
tives  to  assemble  proof  of  IT’s  value.  But,  as  the  atheist  went  on  to  say,  when 
your  boss  starts  asking  for  proof  of  value,  that  in  itself  is  a  pretty  good  indica¬ 
tion  that  you’re  not  delivering  enough  of  it.  Worse,  if  you’re  preoccupied  look¬ 
ing  inward  while  your  competition  is  aggressively  looking  outward,  you  can 
wind  up  behind  the  marketplace  curve,  having  paid  too  much  attention  to  the 
wrong  things. 

But  lately  I’ve  unclenched  in  my  dour  view  of  matters  metrical.  When  chosen 
wisely  and  applied  judiciously,  metrics  can  serve  as  a  management  and  educa¬ 
tion  tool  that  both  powers  better  decision  making  and  gives  other  executives  a 
keener  understanding  of  the  value  security  brings. 

This  month,  Staff  Writer  Thomas  Wailgum  offers  inspiring  examples  of  well- 
chosen  metrics,  the  best  of  which  not  only  impress  others  but  also  shape  future 
directions  and  strategies  (see  “Where  the  Metrics  Are,”  Page  34).  Wailgum’s 
article  is  full  of  good  ideas  for  identifying  and  implementing  meaningful  pro¬ 
grams  of  measurement.  (Take  for  example,  Starbucks’  tracking  of  robberies  at 
its  retail  outlets  and  follow-up  efforts  to  minimize  them.) 

Part  of  what  led  to  my  attitude  adjustment  was  reading  Moneyball,  Michael 
Lewis’s  terrific  book  about  a  partisan  revolution  within  the  hidebound  world  of 
professional  baseball.  The  book  is  a  chronicle  of  how  old,  tobacco-chawed 
habits  die  hard.  It  is  also  the  best  thing  I’ve  ever  read  about  metrics,  and  how  a 
set  of  cherished-but-wrong-headed  statistics  can  mislead  devotees.  It  is  impor¬ 
tant  to  choose  your  metrics  wisely. 

Lewis’s  baseball  Sandinistas  are  the  “Sabermetricians”  (after  the  Society  for 
American  Baseball  Research,  or  SABR)— a  group  of  baseball  stat  geeks  who’ve 
championed  a  wholesale  rethinking  of  what  is  measured  in  baseball  and  how  it 
gets  applied.  The  core  belief  of  the  Sabermetricians,  first  advanced  by  the  apos¬ 


tle  Bill  James,  is  that  baseball’s  traditionalists  have 
ignored  metrics— on-base  percentage,  in  particular— 
that  are  much  more  useful  and  revealing  than  batting 
average  or  slugging  percentage. 

Among  the  central  heresies  of  Sabermetrics  is  the 
idea  that  a  walk  is  as  good  as  a  hit.  Baseball  traditional¬ 
ists  have  always  undervalued  walks,  ignoring  the 
opportunity  of  teaching  hitters  to  be  more  disciplined 
at  the  plate.  Likewise,  managers  have  tended  to  place 
too  high  a  value  on  bunts  and  steals,  both  of  which  are 
reliable  ways  to  make  outs.  Sabermetrics  counsels  that 
outs  are  to  be  avoided  at  all  cost. 

Into  the  mosh  pit  of  Sabermetric  theoiy  leaps  Billy 
Beane,  GM  of  the  Oakland  A’s,  a  failed  ballplayer  who  fit 
the  physical  baseball  ideal  but  lacked  both  the  tempera¬ 
ment  and  discipline  to  succeed  on  the  field.  The  hero  of 
Moneyball,  Beane  internalizes  Bill  James’s  metrics  and 
turns  the  somewhat  reluctant  and  baffled  A’s  into  a  mod¬ 
ern  proof  of  concept  for  Sabermetrics.  High-priced  base¬ 
ball  talent  valued  by  traditional  measurements  may  be 
less  efficient  and  score  fewer  runs  than  lower-priced 
talent  when  measured  against  Jamesian  yardsticks. 

Baseball  is  now  gradually  being  reinvented  along 
Sabermetric  lines.  The  Boston  Red  Sox,  whose  GM  is 
another  Bill  James  acolyte,  won  the  World  Series  after 
architecting  a  team  around  Sabermetric  principles.  I 
would  encourage  anyone  still  a  skeptic  on  metrics  to 
pick  up  a  copy  of  Moneyball  and  learn  how  the  right 
numbers  can  produce  the  right  stuff.  -Lew  McCreary 

mccreary@cxo.com 


8  www.csoonline.com  February  2005 


PHOTO  BY  WEBB  CHAPPELL 


Misc. 


REAL-TIME 

CORRELATION 


PROACTIVE 


. . . 


INTELLIGENCE 


Vulnerability  Scan  Statistics 

BfPOBT  LAST  SCAN  09/01/2004 


REPORT  LAST  SCAN:  05/01/2004 


HfPORT  FOR  HAY  31  -  JUN  06  2004 


A  Root  MX  Record  Activity 

REPORT  FOR  Os/l8  -  19/2004 


Default  community  names 
of  V1*  SNMP  Agent 


Usl(\g  NetBIOS 
frorr\  a  wind 

C.c  rtpVal  Kt  . 

iis  s  o 


MONITOR! 


R 


10.3 


I  0 


CGI  ab^.c:  /*;*?/ 

BD5.  Mr'ftC 
|  MSADC*^*» 


TOTAL  NETWORK 
VISIBILITY 


VeriSign  Managed  Security  Services 


Where  visibility  and  intelligence  overpower  fear  and  doubt. 


VeriSign’  Managed  Security  Services  lets  you  take  a  proactive  stance  on  security.  How?  By  continually 
monitoring  and  correlating  data  across  firewall.  IPS,  IDS,  VPN,  and  endpoint  systems.  By  integrating  and 
leveraging  these  unique  insights  with  continuous  vulnerability  assessments  and  the  advanced  data  that 
comes  from  handling  billions  of  global  email,  DNS,  and  e-commerce  interactions  every  day.  And  by  processing 
over  250-million  daily  security  events  across  some  of  the  world’s  most  sensitive  networks.  VeriSign  also 
offers  an  award-winning  team  of  hundreds  of  security  experts,  ready  to  monitor  and  protect  your  network 
24/7.  For  more  on  how  our  Managed  Security  Services  can  provide  you  with  a  comprehensive  view  of  your 
network’s  health  and  security,  visit  www.verisign.com/dm/mss.  VeriSign.  Where  it  all  comes  together.™ 


&2004  VeriSign,  Inc  All  rights  reserved  VeriSign,  the  VeriSign  logo,  "Where  it  all  comes  together,"  and  other  trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries 
In  the  United  States  and  in  foreign  countries. 


1 iiikim 


PREEMPTIVE  SECURITY  IS  HERE 


NETWORK  &  HOST  INTRUSION  PREVENTION  I  VULNERABILITY  MANAGEMENT  I  MANAGED  SECURITY  SERVICES 


■■■ 


m 


When  business  losses  are 


The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia®  Enterprise  Security  Platform 
from  Internet  Security  Systems.  When  software  security  flaws  are  discovered,  Internet  Security  Systems’  world-renowned  research  team 
updates  Proventia  to  immediately  shield  against  any  attacks  targeting  weak  spots.  Regardless  of  the  size  of  your  business,  this  new 
standard  in  Internet  security  can  help  keep  you  off  the  path  to  disaster  and  reduce  your  total  cost  of  ownership  -  In  fact,  when  we 
manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper,  Preemptive  Protection:  Setting  a 
New  Standard  in  Security,  at  www.iss.net/proof/CSO  or  call  800-776-2362. 


ats  reaction”  everv  turn 


YOU  CAN 


(A)  We  oroteci  you  from  the  threat  here 

(B)  The  other  guys  react  to  the  threat  here 


t- 


m 


BETWEEN  INTERNET  SECURITY  PLATFORMS 


www.iss.net 


mm.. 


Transactions 


rmin. 


i/min. 


D/ min. 


O/min. 


mi »'*«*•  ""  " 

,  11ltes  the  network  went  dow 

figure  1  Within  a  matter  °fn™  .  $620,000  per  hour,  ot  i 

. ^  - 

total  of  $j>  >  -  '  ^ 

•  ;tc  V-'PoT^-^#g?a^ 

•tv  expertise  is  it. 

TSS’  security  exp  ,T Yl •  n em  ^  * 4 


Internet  Security  Systems® 

Ahead  of  the  threat. 


csoletters@cxo.com 


Image  Matters 

In  “The  Image  Issue”  (December),  we 
used  the  format  of  a  consumer  style  or  men's 
health  magazine  to  show  the  importance  of 
CSOs  communicating  the  security  message. 
Some  readers  questioned  our  approach. 

I  LIKE  TO  CONSIDER  MYSELF  A  SECURITY 

professional.  I  consider  the  wording  on 
your  latest  cover  to  be  unprofessional,  in 
particular,  the  phrase  “What  excites  a  met¬ 
ric-sexual.”  I  have  no  qualm  about  such 
phrases  on  magazines  like  Cosmo  or  Vogue 
that  are  sold  in  supermarkets.  Our  IT  assis¬ 
tant  hand-delivers  our  department  mail  to 
me,  and  I  really  don’t  want  to  leave  that 
cover  sitting  on  my  desk.  In  addition,  the 
makeover  portion  of  the  magazine  was  a 
waste.  Can  we  focus  on  security  and  the 
concerns  therein?  Otherwise,  I  enjoy  your 
publication. 

ROB  HUGHES 

Senior  Systems  Engineer 
Lifeline  Systems 

In  “Show  Time  for  Security,"  Senior  Editor 
Sarah  D.  Scalet  introduced  our  December 
issue.  She  wrote  about  the  need  to  transcend 
the  preconceived  notions  of  the  security 
group  as  a  law-enforcing  cost  center  in  order 


to  appropriately  influence  how 
other  business  executives  and 
their  staffs  view  the  security 
department  and  its  leader.  This 
perception  is  fundamental  to  any 
security  awareness  program,  and  it's 
the  key  to  selling  security  initiatives 
to  the  rest  of  the  business.  This 
reader  agrees. 

SECURITY  EXECUTIVES  CLEARLY 

need  to  communicate  their  value  to 
the  enterprise  in  a  manner  that  goes 
way  beyond  technology  alone.  As  with 
many  areas  of  life,  perception  equates  to 
reality.  To  be  taken  seriously  within  a 
business  setting  and  to  maximize  one’s 
effectiveness  in  that  arena,  one  must 
understand  people  and  communicate 
effectively,  which  is  the  case  in  any  leader¬ 
ship  position. 

Earning  the  right  to  be  taken  seriously, 
and  to  be  perceived  as  a  true  collaborator, 
requires  more  than  an  impressive  law 
enforcement,  security  or  technical  back¬ 
ground.  While  these  experiences  and  skills 
shouldn’t  be  taken  lightly,  the  most  suc¬ 
cessful  security  leaders  of  the  21st  century 
will  work  hard  to  enter  the  comfort  zone  of 
other  executives  and  staff  within  the  organ¬ 
ization  to  better  sell  the  very  ideas  and  rec¬ 
ommendations  that  result  from  their 
distinctive  expertise  and  background. 

JOHN  A.  FALLONE 

Vice  President 

Interpersonal  Technology  Group 

Props  are  meant  to  provide  support,  to  hold 
something  up.  But  they  aren't  meant  to  take 
center  stage.  In  December's  “Build  Business 
Cases  Like  Steel  Pistons!”  we  emphasized 
the  importance  of  keeping  your  audience’s 
attention  focused  on  you. 

THE  SECTION  TITLED  “DO  GET 

people  to  look  at  you,”  was  right  on  the 
mark.  Too  often,  presentations  are  over¬ 
crowded  or  jazzed  up  with  fancy  gim- 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125  fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more), 
contact  Keith  Williams  at  PARS  International  at 
212  221-9595  x319  or  e-mail  keith@parsintl.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by 
the  Computerworld,  Infoworld,  Macworld.  Network 
World,  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technol¬ 
ogy-specific  sites  around  the  world  through 
IDG.net  ( www.idg.net ),  a  gateway  to  IDG's  330 
websites  powered  by  more  than  2,000  journalists 
reporting  from  every  continent  in  the  world.  IDG 
also  produces  168  technology-related  conferences 
and  events,  and  research  company  IDC  provides 
global  market  intelligence,  analysis  and  forecasts 
in  43  countries. 

micks,  motion  and  sound  just  because 
PowerPoint  makes  it  easy.  There  is  a  perva¬ 
sive  sense  that  slides  need  to  be  entertain¬ 
ing.  I  always  instruct  my  employees  that 
less  is  more  where  slides  are  concerned. 

The  focus  of  any  presentation  should  be  on 
the  speaker.  More  than  anything,  slides 
should  be  a  mnemonic  device  for  the 
speaker  to  keep  the  presentation  on  course. 

FRANK  NEKOBA 

Director,  Public  Safety 
Defense  Logistics  Agency 
Department  of  Defense 

CORRECTION:  The  photo  on  our  December  cover  should 
have  been  credited  to  David  Cook.  We  regret  the  error. 

We  want  to  hear  from  you. 

To  respond  to  articles  you’ve  read  in  CSO,  write  to 
us  at  csoletters@cxo.com.  We  welcome  your 
thoughts  and  suggestions. 


12  www.csoonline.com  February  2005 


(JFHu+h  enex 


Strong  Authentication 


The  Authenex  A-Key  hybrid  token  offers  USB  and  one-time 
password  functionality  for  your  company’s  strong  two- 
factor  authentication  needs.  Whether  those  needs  are  VPN, 
LAN,  or  Web,  the  Authenex  A-Key  works  in  conjunction  with 
the  ASAS  authentication  server  to  offer  strong  two-factor 
authentication  with  or  without  PKI.  The  A-Key  also  provides 
128-bit  AES  encryption  and  secure  file  exchange.  The  only 
solution  that  delivers  total  mobility  and  maximum  flexibility  is 
waiting  for  you. 


Full  PKI  Support 


e-Security 
Less  Overhead 


Available  Now! 

Hard  Disk/  File  Encryption  Get  your  free  evaluation  A.Key  now* 

Visit  us  on  the  web  at  www.authenex.com/cso 


Secure  File  Exchange 

v  I 


Visit  us  at  the  RSA  Conference  2005 
February  14-18  at  Booth  #1410, 


Total  Mobility 


metdnfo  Microsoft  VeriSien' 

CERTIFIED  O 


*  Certain  terms  and  conditions  may  apply 

©  Authenex,  Inc.  All  rights  reserved  Authenex,  A-Key  and  associated  logos  are  registered  or  unregistered 
trademarks  of  Authenex,  Inc.  All  other  trademarks  in  this  document  are  the  sole  property  ol  their  respec¬ 
tive  owners 


Customer  understands  that  CDW  is  not  the  manufacturer  of  the  products  purchased  by  customer  hereunder  and  the  only  warranties  offered  are  those  of  the  manufacturer,  not  CDW.  All  pricing  is  subject  to  change.  CDW  reserves  the  right  to  make  adjustments  to  pricing, 
products  and  service  offerings  for  reasons  including,  but  not  limited  to,  changing  market  conditions,  product  discontinuation,  product  unavailability,  manufacturer  price  changes  and  errors  in  advertisements.  All  orders  are  subject  to  product  availability.  Therefore,  CDW 


Worrying  about  your  network  security? 

(Want  to  stop?) 


$row 


There  are  two  kinds  of  security  threats.  Those  you've  faced  and  those  you  will.  That's  why  CDW  offers  the  latest  security 
solutions  from  top  name  brands.  We  also  have  account  managers  who  can  help  you  find  the  right  solution  for  you.  And  with 
access  to  the  largest  in  stock  inventories,  you'll  get  what  you  need  fast.  So  why  wait?  Peace  of  mind  is  just  a  phone  call  away. 


TREND  MICRO 

Client/Server/ 
Messaging  Suite 

for  SnwD  srvd  M»dlum  8u»lr#si m 


The  Security  Solutions  You  Need  When  You  Need  Them. 


CDW  639823 


Trend  Micro  Client/Server/Messaging  Suite  for  SMB 


Integrated  antivirus  and  anti-spam  solution  for  networked  workstations,  servers 
and  Microsoft  Exchange  servers 

Scans  and  eliminates  viruses  within  a  company's  network  and  blocks  spam  at 
the  e-mail  server  before  it  reaches  users 

Delivers  low  false-positive  rates  by  combining  advanced  heuristic  anti-spam 
engine  functionality  with  signature  lookup  capabilities  and  advanced 
approved/denied  e-mail  lists 
5-25  user  license 


TREND 


^  Symantec 


WatchGuardi 


cannot  guarantee  that  it  will  be  able  to  fulfill  customer's  orders.  The  terms  and  conditions  of  sale  are  limited  to  those  contained  herein  and  on  CDW's  Web  Site  at  CDW.com.  Notice  of  objection  to  and  rejection  of  any  additional  or  different  terms  in  any  form  delivered  by 


customer  is  hereby  given.  ©  200S  CDW  Corporation 


...-  •:  '■ 

:  -4  V  ..  «v  • .  pSsSSjS'BsS 


Cisco®  PIX®  506E  3DES/AES  Bundle 


Provides  rich  security  services  including  stateful  inspection  firewalling, 
virtual  private  networking  (VPN)  and  intrusion  protection  in  a 
single  device 

Ensures  that  all  the  users  behind  it  are  safe  and  secure  from  threats 
lurking  on  the  Internet  using  the  Cisco®  Adaptive  Security  Algorithm 
(ASA)  and  PIX®  operating  system 

Enforce  customized  policies  on  network  traffic  traversing  through 
the  firewall 


CDW  508964 


Symantec™  Gateway  Security  420  Appliance 


Integrates  stateful  inspection  firewall  with  antivirus  policy  enforcement,  IPsec  VPN 
intrusion  detection,  intrusion  prevention  and  content  filtering  technologies 
Offers  integrated  networking  functions  including  a  multi-port  LAN  switch,  a  router 
and  Internet  link  protection  with  automatic  detection  failover  and  bandwidth 
aggregation  capabilities 

Provides  protection  for  wireless  LAN  networks  with  an  access  point  option  that 
extends  security  protection  to  WLAN  clients  while  allowing  seamless  roaming 
within  a  facility 


Wireless  access  card  sold  separately 


$42996 


CDW  67201 7 


WatchGuard  Firebox®  X15 


$47780 


Model-upgradeable  VPN  endpoint  and  SOHO  firewall  security  appliance 
Supports  up  to  30  users 

Firewall  throughput:  95Mbps  and  VPN  throughput:  35Mbps 
Concurrent  sessions:  8000 

Branch-office  VPN  tunnels:  1 5  and  mobile  VPN  tunnels:  25 


CDW  672589 


SonicWALL  PRO  4060 


Integrated  security  appliance  supporting  unlimited  nodes 

3000  site-to-site  VPN  policies 

1000  VPN  client  sessions  included 

300+  Mbps  firewall  performance 

190Mbps  (3DES  and  AES)  VPN  performance 

FREE  year  of  intrusion  prevention  with  product  registration 


CDW  534910 


•iOHKWALl 


The  Right  Technology.  Right  Away 

CDW.com  •  800.399.4CDW 
In  Canada,  call  800.387.2173  •  CDW.ca 


Finally 


IT  jobs  are  back  -  and  companies  are  hiring  again.  Which  means  it's 
time  to  give  Robert  Half  Technology  a  call.  With  over  100  offices 
worldwide  -  staffed  with  hiring  managers  who  know  the  IT  market¬ 
place  -  we  have  access  to  some  of  the  most  interesting  opportunities 
and  cutting-edge  technology  companies.  We  offer  competitive  pay, 
great  benefits  and  a  world-class  eLearning  program.  So  whether  it's 
freelance  or  full-time  opportunities  you're  after,  the  IT  jobs  have 
returned.  And  Robert  Half  Technology  knows  where  to  find  them. 


WE  GET  IT.  WE  SPEAK  IT.  WE  KNOW  IT. 

Robert  Half 

Technology 


(Mill 

(Mil) 

lion 


RH 


Information  Technology  Professionals 

A  Robert  Half  International  Company 


800.793.5533  •  rht.com 


©  Robert  Half  Technology.  EOE  0105-4200 


progress  and  growing  influence 


Survey  shows  signs  of  J:< 


handle  with  care 

gyoi.dont'**'110 

fbaJjii'A- 

jfwrr-lywrt'tcnfntArtf'f 
UwW>lty.y»Ai  mjy 

rovjuO  ■ifa  ff|,hw 


KFCP  IT  CLEAN 
How  Ifr’*  Y^" 

l  .ltlj  VrlVIi  If  ■ 

^fOor.MiyW''  ■ 


iHt  uisounci  FOR  securely  executives 


BUILDINGTHE 
FUTURE  CSO 


SPECIAL  ISSUE 


www.csoonline.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $95.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $70.00! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


□  Bill  me  □  Bill  my  credit  card  O  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


Signature 


CIN05 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


iiiiiillliliiliiliiilliilliiililil 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  S.  Carr 


The  Super  Bowl’s 
Defensive  Stance 


PHYSICAL  SECURITY  “This  is  our  pre¬ 
mier  event.  Were  on  an  international  stage,  so 
it’s  very  important  that  the  game  come  off  and 
people  not  worry  about  security,”  says  Milton 
Ahlerich,  senior  vice  president  of  security  for 
the  National  Football  League.  On  Feb.  6, 
Ahlerich  will  welcome  close  to  80,000  specta¬ 
tors  to  the  Super  Bowl  in  Jacksonville,  Fla.  He 
says  that  many  of  the  security  measures 
employed  at  this  year’s  Super  Bowl  may  be 
familiar  to  game-goers. 

But  the  Super  Bowl,  being  much  more  than  a 
regular  NFL  game,  requires  supersized  security, 
with  a  budget  to  match.  To  provide  a  safe  Super 
Bowl,  the  NFL,  the  host  city  and  the  federal 
government  contribute  money  for  security- 
upward  of  $10  million  this  year,  with  the  NFL 
footing  more  than  half  of  the  bill.  Also,  the 
security  perimeter  is  wider  than  for  typical  NFL 
games,  and  a  300-foot  barricade  is  built.  In 
addition,  temporary  flight  restrictions,  which 
apply  to  all  NFL  games,  are  extended. 

The  chief  burden  for  security  is  borne  by  the 
host  city’s  police  department.  This  year,  the 


Jacksonville  sheriff s  office  will  carry  out  the 
security  plan  that  the  agencies  involved  put 
together. 

Ahlerich  would  not  say  that  the  event  is  con¬ 
sidered  a  terrorist  target,  but  he  did  say  that  the 
NFL  was  “not  going  to  take  any  chances.”  To 
that  end,  host  stadiums  are  required  to  have 
state-of-the-art  video  surveillance  cameras  in 
and  around  the  stadium.  At  the  time  of  this 
interview,  Ahlerich  had  recently  reviewed  the 
upgraded  system  in  Jacksonville,  which  does 
not  include  biometrics.  Biometrics  was  tested 
outside  the  stadium  by  the  Tampa  police  for  the 
Super  Bowl  in  2001,  but  it  was  deemed  to  be 
not  yet  mature  enough.  And  it  wasn’t  too  popu¬ 
lar  with  the  fans. 

Nontraditional  guest  accommodations  pro¬ 
vide  an  unusual  security  issue  for  this  year’s 
Super  Bowl.  Due  to  a  shortage  of  hotels  in  the 
area,  five  cruise  ships  will  be  used  as  temporary 
floating  hotels,  providing  about  3,600  rooms. 
Guests  will  be  screened  when  they  enter  or 
leave  their  ships. 

-Diann  Daniel 


INVOLVED: 


it  Guard, 


Milton  Ahlerich,  senior 
VP  of  security  for  the  NFL. 


Help  in  a  Crisis 

EMPLOYEE  SAFETY  In  the 

wee  hours  of  Dec.  26th,  Tim  Weir’s  Black- 
Berry  went  off,  alerting  Accenture's 
director  of  global  security  to  the  disaster 
that  was  unfolding  in  Southeast  Asia. 
Although  the  tsunamis  that  devastated 
coastal  portions  of  Indonesia,  Thailand, 
India,  Sri  Lanka  and  the  Maldives  did  not 
hit  business  centers,  Accenture  had 
employees  in  the  vicinity  on  vacation;  the 
company’s  first  priority  was  locating  them 
and  ensuring  their  safety.  This  process 
continues  as  of  press  time. 

In  times  of  crisis,  many  companies 
turn  to  travel  safety  providers  such  as 
Securitas  Security  Services  USA,  Control 
Risk  Group  and  iJet. 

Accenture,  for  example,  has  been 
using  iJet  Travel  Intelligence  to  provide 
its  employees,  both  inside  and  outside  the 
affected  regions,  with  up-to-date  informa¬ 
tion  about  the  communications  infra¬ 
structure,  travel,  security  and  the  health 
situation  on  the  ground.  “People  need  to 
return  to  work  in  the  region.  And  because 
of  iJet,  we  can  drill  down,  and  employees 
can  weigh  whether  they  want  to  travel,” 
says  Weir.  Accenture  employees  that 
were  in  affected  areas  were  able  to  call  in 
to  iJet’s  crisis  hotline  to  get  information. 
Weir  continues  to  monitor  the  situation 
through  alerts  on  his  BlackBerry. 

Aside  from  health  concerns,  iJet  is 
also  tracking  the  security  situation  for  its 
clients.  iJet  works  with  several  relief 
agencies  that  have  sent  up  to  600  em¬ 
ployees  into  the  hardest-hit  areas.  Bruce 
Mclndoe,  chairman  and  CEO  of  iJet,  cites 
security  concerns  in  countries  such  as 
Indonesia.  “People  are  trying  to  distribute 
aid  [food  and  medicine],  and  the  police 
are  stealing  it,  the  military  are  stealing  it, 
and  local  people  are  scrambling  for 
relief,"  he  says.  -Daintry  Duffy 


PHOTO  LEFT  BY  JC  RIDLEY/NFL  PHOTOS:  RIGHT  BY  GETTY  IMAGES 


February  2005  www.csoonline.com  17 


Love  Knows 


SURVEILLANCE  Valentine’s 
Day.  For  many,  it’s  the  time  for 
lovers  to  find  each  other  the  perfect 
manifestations  of  their  affection. 

But  for  some,  it’s  also  the  time  to 
find  out  where  their  lover  keeps 
sneaking  off  to  at  night. 

At  NowAuto,  a  chain  of  car 
dealerships  in  Arizona,  the 
technology  to  trace  your  valentine  is 
now  offered  in  the  basic  feature 
package.  The  NaviCom  Mobile 
Location  Unit  is  a  GPS  monitoring 
system  that  pinpoints  the  exact 
location  of  a  vehicle  and  allows  the 
subscriber  to  track  its  whereabouts 
on  a  digital  map. 

While  NaviCom  does  not 
promote  the  use  of  its  technology 
for  surreptitious  means,  Barry 
Mitchell,  former  manager  of  the 
NowAuto  in  Mesa,  Ariz., 
acknowledges  that  the  door  is  wide 
open  for  subscribers  to  use  the 
system  however  they  want. 

-Daniel  J.  Morgan 


Still  Armed  and  Flying 


DHS  Agents  in  the  U.S.  Federal  Air  Mar¬ 
shal  Service  remain  on  the  job  three  years 
after  the  Sept.  11  terrorist  attacks  on  the 
United  States. 

Recent  media  reports,  based  on  anony¬ 
mous  sources,  have  raised  concerns  about 
the  low  number  of  U.S.  flights  that  are 
covered  by  air  marshals.  There  are  over 
27,000  flights  every  day, 
and  air  marshals  go  on 
only  “targeted  critical 
flights,”  according  to 
David  Adams,  an  air  mar¬ 
shal  spokesman  in  U.S. 

Immigration  and  Customs 
Enforcement  with  the 
Department  of  Homeland 
Security. 

The  actual  number  of 
air  marshals  is  classified,  but  the  number 
of  air  marshals  now  flying  each  month  is 
more  than  the  total  number  of  air  marshal 
flights  between  the  program’s  start  in  1965 
and  Sept.  11,  2001,  Adams  says.  Anony¬ 
mous  sources  that  underestimate  the 
number  of  air  marshals  do  a  disservice  to 
the  program,  he  adds. 

The  Bush  administration’s  fiscal  year 
2005  budget  cut  the  air  marshal  program 
from  $626  million  to  $613  million,  but  a 
DHS  funding  bill  passed  by  Congress  in 


October  allocated  $662  million  for  the 
program.  (The  service  had  a  budget  of 
$466  million  in  fiscal  year  2003.)  Plans 
call  for  hiring  more  agents  in  2005, 

Adams  says. 

The  service  is  satisfied  that  the  funding 
will  cover  its  needs,  Adams  adds.  “Any 
agency  is  going  to  say  they  want  more 
people,”  he  says. 

The  Air  Line  Pilots 
Association  has  in  the 
past  noted  that  air  mar¬ 
shals  fly  on  a  limited 
number  of  flights,  but 
association  spokesman 
John  Mazor  says  the  pro¬ 
gram  can  serve  as  a  deter¬ 
rent  even  with 
limited  numbers  of  air 

marshals  flying. 

Still,  Mazor  acknowledges  that  the 
association  would  welcome  more  air 
marshals  on  flights. 

Air  marshal  officials  call  the  11-week 
training  program  for  new  agents  one  of 
the  most  rigorous  in  law  enforcement. 

“The  life  of  a  federal  air  marshal  is  30,000 
feet,  200  passengers  on  board  and  a 
potential  felony  in  progress,”  Adams  says. 
“They  can’t  call  for  backup;  there’s  no 
room  for  error.”  -Grant  Gross 


“The  goal  is  not  to 
have  bad  guys  on 
airplanes  so  we  can 
blow  them  awayat 
30,000 feet.  The  goal 
is  to  keep  them  off.’ 


»» 


-JOHN  MAZOR,  AN  AIR  LINE 
PILOTS  ASSOCIATION  SPOKESMAN 


Beaming  with  Health 

Jacobi  Medical  Center  in  the  Bronx 
uses  RFIDs  to  track  its  patients 

RFIDS  At  the  largest  public 
hospital  in  the  Bronx,  more  than 
200  patients  admitted  last  summer 
were  tagged  with  radio  frequency 
identification  (RFID)  chips  on  their 
wrists  instead  of  the  standard-issue 
plastic  wristbands.  The  tagging  was 
part  of  a  pilot  project  at  New  York's 


Jacobi  Medical  Center,  using  technol¬ 
ogy  from  Siemens  Business  Services, 
to  streamline  administrative  tasks  and 
improve  the  accuracy  of  handling 
patients'  treatment  and  records. 

The  hospital  tried  the  technology  in 
its  surgical  and  oncology  units,  which 
are  Wi-Fi  enabled.  The  tags  contain 
only  the  patient’s  name,  gender,  date 
of  birth  and  medical  record  number. 
Doctors  and  nurses  use  tablet  PCs 
with  an  RFID  reader  that  picks  up  the 
patient’s  number  at  very  close  range 
and— when  provided  with  the  proper 


access  credentials — links  to  a  central 
clinical  network  where  the  patient’s 
medical  record  resides,  along  with 
information  from  labs,  pharmacy  and 
billing.  There  are  plans  to  expand  the 
pilot  to  two  additional  care  units  and 
then  into  a  “general  production”  envi¬ 
ronment  throughout  the  hospital  in 
the  spring. 

A  large  number  of  Jacobi  patients 
are  admitted  via  the  emergency  room. 
Can  inpatients  choose  whether  they 
are  tagged?  No.  “They  have  to  be 
identified,  right?"  says  Jerry  Moy,  sen¬ 


ior  client  executive  with  Siemens  Busi¬ 
ness  Services.  Apparently  patients 
have  not  complained  about  the  sys¬ 
tem.  Indeed,  the  privacy  of  personal 
data  and  security  of  stored  informa¬ 
tion  is  probably  no  worse  than  the  old 
system— in  which  health-care 
providers  had  a  cart  full  of  three-ring 
binders,  one  for  each  patient. 

And  patients  may  feel  some  added 
security,  knowing  they  are  less  likely 
now  to  undergo  a  bypass  when  they 
only  came  in  for  a  biopsy. 

-Sandy  Kendall 


18  www.csoonline.com  February  2005 


PHOTO  BY  CORBIS 


SECURITY* 


Confidence  Inspired 


carrying  you  further. 


www.rsasecurity.com/securid 


June  1992 

Secured  dial-up  connection 
to  the  office  from  a  convention 
in  Phoenix. 

December  1999 

Safeguarded  VPN  access 
12  miles  outside  of  Aspen. 

October  2004 

Protected  Microsoft®  Windows® 
desktop  while  in  a  holding 
pattern  over  LAX.  No  passwords. 
No  problem. 


apBi  -  vj 

RSA  SecurlD 


@2004  RSA  Security  Inc.  All  rights  reserved.  RSA,  RSA  Security,  and  SecurlD  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc  .  in  the 
United  States  and/or  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United 
States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


■MpH 

Mi. 


f; 


Smart  Move. 


THE  SECURITY  BLOTTER 


Briefing 


Breaches,  scams  and  other  recent  incidents  of  note 


United  States  hikes  antiterrorism  grants 
to  big  cities.  The  Department  of  Homeland 
Security  unveiled  new  grant  figures  that 
boost  homeland  security  spending  for  major 
cities.  New  York  City,  Washington,  D.C.,  and 
Los  Angeles  top  the  list.  New  York  City's 
$208  million  grant  for  2005  is  more  than 
triple  its  2004  figure  and  reflects  the  federal 
government’s  bowing  to  pressure  from  big 
cities  that  claimed  they  had  been  overlooked 
in  homeland  defense  budgeting,  The  New 
York  Times  reported.  The  figures  (including 
$78  million  for  Washington,  D.C.,  and 
$61  million  for  Los  Angeles)  reflect  new 
risk  analysis  calculations  that  account  for 
bridges,  landmark  structures  and  govern¬ 
ment  buildings. 

Barclays  fights  fraud  at  London  cash 
machines.  Cash  machine  fraud  in  the  United 
Kingdom  increased  by  85  percent  last  year, 
according  to  the  Association  for  Payment 
Clearing  Services.  In  response,  U.K.  bank 
Barclays  is  rolling  out  an  antiskimming 
device  for  cash  machines  in  London,  includ¬ 
ing  22  ATMs  located  in  London  Underground 
stations.  The  device  fits  over  the  card  slot  on 
an  ATM  and  prevents  a  perpetrator  from 
attaching  a  rogue  magnetic  strip  reader  to 
the  cash  machine,  and  collecting  bank  card 
and  password  data  from  unknowing  con¬ 
sumers.  The  cash  machine  automatically 
shuts  down  if  it  detects  tampering. 

British  to  adopt  national  ID  cards.  Britain 
will  issue  citizen  ID  cards  starting  in  2008, 
after  Parliament  approved  the  move  on 
Dec.  20.  Home  Secretary  Charles  Clarke  says 
the  cards  are  important  to  fighting  terrorism, 
organized  crime  and  identity  theft,  according 
to  London’s  Daily  Mail.  His  argument  over¬ 
came  critics  who  said  the  project  was  a  Big 
Brother  boondoggle  not  worth  its  3  billion 
pound  ($5.7  billion)  cost.  The  first  cards  will 
cost  $163  each  and  will  be  issued  to  passport 
applicants.  By  2012,  80  percent  of  the  popu¬ 
lation  is  expected  to  have  ID  cards. 

Laws  limit  camera  use  in  public  places. 

Congress  has  passed  a  bill  that  would  slap 
fines  up  to  $100,000  and  prison  time  on  any¬ 
one  found  taking  photos  or  videos  of  uncon¬ 


senting  partially  clad  people  on  federal  prop¬ 
erty,  The  Associated  Press  reported.  The  law, 
which  President  Bush  signed  on  Dec.  23,  is 
aimed  at  camera  phones.  Laws  already  on 
the  books  in  New  Jersey,  meanwhile,  enabled 
authorities  to  fine  owners  of  Caesars  Atlantic 
City  Hotel  Casino  $80,000  for  using  surveil¬ 
lance  cameras  to  spy  on  women,  AP 
reported.  The  case  centered  on  two  ex¬ 
employees  who  allegedly  recorded  women 
visiting  the  facility. 

Cooperative  effort  in  phishing  fight.  Inter¬ 
net  companies  and  law  enforcement  agen¬ 
cies— including  the  FBI,  the  Federal  Trade 
Commission,  the  U.S.  Secret  Service  and  the 
U.S.  Postal  Inspection  Service— announced 
on  Dec.  8  that  they  will  crack  down  on  phish¬ 
ing  perpetrators.  Members  of  the  Digital 
PhishNet  project— including  AOL,  Digital 
River,  EarthLink,  Lycos,  Microsoft,  Network 
Solutions  and  VeriSign-say  they  will  track 
down  online  scammers  posing  as  legitimate 
businesses  and  notify  the  FBI  when  they  spot 
a  phishing  attack. 

Database  breach  spurs  proposed  privacy 
law.  California  Sen.  Debra  Bowen  proposed  a 
bill  that  would  ban  the  state  from  providing 
researchers  with  Californians’  personal  data. 
Bowen  says  she  filed  the  bill  after  a  breach  of 
a  University  of  California,  Berkeley,  computer 
system  on  which  a  researcher  had  stored  the 
names  and  Social  Security  numbers  of 
1.4  million  residents  from  the  state’s  In-Home 
Supportive  Services  program,  which  cares  for 
low-income  elderly  and  disabled  people. 

TSA  deploys  more  bomb-sniffing  dogs  to 
secure  airports.  The  Transportation  Secu¬ 
rity  Administration  announced  on  Dec.  17 
that  it  had  graduated  11  new  bomb-sniffing 
dog  teams  to  work  at  airports  in  Miami; 
Orlando,  Fla.;  Columbus,  Ohio;  Minneapolis- 
St.  Paul;  Tulsa,  Okla.;  Houston;  San  Antonio; 
San  Diego;  and  Los  Angeles.  These  11  teams 
will  join  the  420  teams  the  TSA  already  has 
in  place  nationwide.  Besides  airports,  the 
government  deploys  the  dog  teams  at  high- 
profile  events  such  as  last  year’s  national 
political  conventions. 

-Kathleen  S.  Carr 


Border 
Drills 


FIRST  RESPONDERS 


First  responders  from  the 
United  States  and 
Canada  met  in  Vermont 
on  Oct.  26,  2004,  to  take 
part  in  Operation  Border 
Safe.  The  daylong  event 
used  tabletop  exercises, 
developed  by  the  Depart¬ 
ment  of  Homeland  Secu¬ 
rity,  to  address 
cross-border  terrorism 
incidents.  The  mock  inci¬ 
dents  were  played  out  on 
screens  to  test  how  par¬ 
ticipants  would  respond 
if  weapons  of  mass 
destruction  were  used  in 
the  border  area  of  North¬ 
ern  Vermont  and  the 
nearby  Quebec 
region.  Participants 
viewed  the  mock  inci¬ 


dents  and  discussed  how 
they  would  respond. 

And  how  they  could 
respond— legally— played 
a  large  part  in  the  discus¬ 
sions.  The  simulations 
gave  the  150  participants 
the  opportunity  to  wres¬ 
tle  with  jurisdictional 
issues  that  near-border 
attacks  would  create. 

Vermont  was  the  first 
out  of  the  gate,  but  train¬ 
ing  is  available  to  first 
responders  in  every  state 
along  the  U.S.-Canadian 
and  U.S. -Mexican  bor¬ 
ders.  -Diann  Daniel 


CSO  ROLE  According  to  (ISC)2  and  other  leading 
IT  security  organizations  and  companies,  2005  is 
the  year  of  the  infosec  professional.  (ISC)2  wants  to 
raise  the  profile  of  the  IT  security  worker  through 
events,  mentoring  programs  and  scholarships.  The 
yearlong  focus  hopes  to  highlight  a  worldwide 
demand  for  infosec  professionals  and  to  attract  new 
people  to  the  profession. 


-Paul  Roberts 


20  www.csoonline.com  February  2005 


ILLUSTRATION  BY  ROB  ZAMMARCHI;  PHOTO  BY  GETTY  IMAGES 


How  AOL  Earns 
Customer  Trust 

INTEGRITY  ASSURANCE  Tatiana 
Platt  (at  right),  chief  trust  officer  and  sen¬ 
ior  vice  president  of  America  Online,  car¬ 
ries  the  reputation  of  the  AOL  brand  on 
her  shoulders.  Security  has  become  a  core 
component  of  ensuring  the  integrity  of  that 
brand.  CSO  spoke  to  Platt  recently  about 
her  title,  online  security  and  the  challenges 
of  communicating  security  to  children, 
retirees  and  everyone  in  between. 

CSO:  How  did  the  role  of  chief  trust 
officer  evolve  at  AOL? 

Tatiana  Platt:  In  1996, 1  was  named  vice 
president  of  integrity  assurance.  I  created 
an  organization  that  could  respond  quickly 
while  preserving  the  integrity  of  the  con¬ 
sumer  experience.  In  1998,  our  first  official 
privacy  policy  was  born.  That  was  brought 
under  the  integrity  assurance  umbrella.  In 
1999, 1  took  over  functions  related  to  net¬ 
work  standards,  like  what  kind  of  content 
would  be  on  the  welcome  screen  and 
whether  we  would  take  advertising  from 
tobacco  or  alcohol  companies.  These  issues 
go  to  the  heart  of  the  user  experience.  The 
whole  “trust”  idea  came  about  in  2003.  The 
group  was  reorganized  into  different  lines 
of  business,  and  we  thought  about  what 
these  different  functions  embody:  It’s  the 
trust  between  AOL  and  its  consumers.  Ted 
Leonsis,  vice  chairman  of  AOL,  came  up 
with  the  title  of  chief  trust  officer.  We  are 
the  consumer  face  of  security. 


How  have  you  influenced  AOL’s  security 
posture? 

Before  the  latest  product  incarnation  [AOL 
9.0  security  edition],  the  challenge  was 
convincing  the  organization  that  putting 
money  into  security  is  a  good  thing.  AOL 
has  taken  the  position  that  security  is  a 
necessary  evil.  Our  consumers  are  telling 
us  that  security  is  important  to  them,  but 
they  want  AOL  to  do  it  for  them.  The 
National  Cyber  Security  Alliance  and  AOL 
did  a  joint  study  where  they  asked  con¬ 
sumers  whether  they  had  antivirus  and 
firewall  protection,  and  then  went  to  peo¬ 
ple’s  computers  to  see  if  there  was  a  differ¬ 
ence  between  reality  and  their  perception 
of  how  safe  they  thought  they  were.  The 
difference  was  huge.  [See  “Home  Users 
Aren’t  as  Safe  as  They  Think  They  Are,” 


below.]  People  think  they  have  protected 
themselves,  but  they’re  not  updating. 

How  has  the  changing  security 
environment  affected  your  work? 

As  threats  have  changed,  so  has  the 
work  and  focus  of  the  department.  We’ve 
needed  to  come  up  with  different  ways 
to  educate  the  user.  My  group  does  a  lot  of 
prioritizing.  If  we  only  have  one  inch  of 
text  on  the  AOL  welcome  screen  or  30  sec¬ 
onds  in  a  TV  ad,  with  the  hope  that  the 
consumer  retains  some  shred  of  the 
message,  what  should  we  focus  on?  Our 
consumers  are  everyone  from  parents  to 
children  to  college  students  to  seniors,  and 
we  want  to  create  a  product  that  is  easy  for 
all  age  groups  to  use. 

What  message  do  you  think  you'll  be  try¬ 
ing  to  convey  to  users  a  year  from  now? 

I’d  like  to  say  we’re  moving  in  the  direction 
where  the  big  players  will  start  offering 
consumers  one-stop  shopping;  security  will 
be  built  into  the  product.  I  think  the 
answer  is  second-factor  authentication. 
Online  banks  are  starting  to  offer  hard 
token  authentication  in  addition  to  pass¬ 
words;  two  to  three  years  from  now,  it’s 
going  to  be  pretty  commonplace.  It’s  going 
to  take  a  lot  of  coming  together  to  get  sys¬ 
tems  that  will  work  across  multiple  sites, 
but  when  we  do,  the  phishers  will  go  out 
of  business.  Maybe  instead  of  looking  at 
an  ad  that  says,  “Got  milk?”  it’ll  say,  “Got 
secure  ID?”  ■ 


FROM  THE  DEPARTMENT  OF  HOME  USERS  AREN’T  AS  SAFE  AS  THEY  THINK  THEY  ARE 


Perception l  77%  ofliomeuseret]iinktheircx)mpiiterissafefh)moiiUne 

c‘d<»  fi vvi 


threats;  73°/o  tliink  their  computer  is  safe  from  viruses;  60%  feelsafefrom 

hackers.  Reality’.  19%  currenth  have  at  feast  one  ffrus  oil 

theirhomecomputer;  67%donothaveanyfirewallprotection;  67%  do  not 


haveupdaledantivirussoftware;  15%  do  nothave  any  antivirus  software. 

Stay  tuned  for  the  March  issue  in  which  CISOs  will  share  information  and  tips  on  how  they  secure  their  own  home  networks. 


February  2005  www.csoonline.com  21 


Public  Policy  at  Work 


Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


A  Catch  in  Check  21 

As  banks  move  away  from  paper  checks,  some  observers  wonder  if 
“substitute  checks’’  aren’t  opening  new  doors  for  fraud  By  Al  Sacco 


LTHOUGH  FINANCIAL  institutions 
may  have  survived  the  October  deadline  for 
Check  21,  the  country  is  still  a  long  way  from 
abandoning  the  use  of  paper  checks.  And 
maybe  that’s  not  such  a  bad  thing. 

The  Check  Clearing  for  the  21st  Century 
Act,  a.k.a.  Check  21,  is  a  federal  law  governing 
the  use  of  digital  “substitute  checks.”  Check 
21  allows  clearing  and  paying  banks  to  elimi¬ 
nate  the  physical  shipment  of  paper  checks, 
speeding  up  the  check-clearing  process. 

Robert  Hunt,  a  senior  analyst  with 
the  Tower  Group,  a  financial  serv 
ices  consultancy,  says  that 
banks  have  had  many  hur¬ 
dles  in  the  path  to  Check 
21  implementation.  Edu¬ 
cating  customers  about 
substitute  checks  is  only 
the  beginning.  Banks  are 
struggling  to  implement 
systems  to  produce  and 
process  substitute  checks. 

They  are  also  working  on 
the  development  of  emer¬ 
gency  preparedness  plans  in 
case  a  database  is  compromised. 

At  the  Charlotte,  N.C. -based  Wachovia, 
a  Check  21  task  force  spent  months  making 
sure  that  customers  were  aware  of  their  rights 
concerning  substitute  checks,  says  Carol 
Malicki,  senior  vice  president  of  operating 
services  and  cochairwoman  of  the  task  force. 
The  company  sent  out  mailings  and  made 
information  available  in  English  and  Spanish 
on  its  websites.  Malicki  says  that  although 
Wachovia  can  create  substitute  checks  and 
process  digital  images,  hers  and  most  other 
banks  are  still  dependent  on  paper  checks. 

“There  are  systems  in  place  that  create 
substitute  checks,  should  we  need  one,  but 
most  of  our  partners  are  simply  not  ready  for 


them,”  she  says.  She  notes  that  while  Check 
21  required  that  banks  be  able  to  receive 
substitute  checks,  there  is  no  set  time  period 
for  when  banks  need  to  eliminate  paper 
checks.  Malicki  expects  it  will  be  years  before 
paper  checks  become  obsolete. 

Perhaps  the  slow  transition  is  just  as  well. 
According  to  the  American  Bankers  Associa¬ 
tion,  check  fraud  is  the  second  biggest  risk  to 
the  industry,  behind  identity  theft.  Some 
observers  wonder  whether  the  facets  of  Check 
21  that  save  banks  time  and  manpower  will 
also  open  doors  for  criminals. 

A  Unisys  white  paper 
titled  “Is  Your  Check  21 
Implementation  a 
Fraud  Hazard?” 
highlights  a  number 
of  risks,  such  as  the 
potential  disaster  if  a 
database  of  personal 
information  and  even 
signatures  is  accessed 
by  criminals.  The  paper 
asserts  that  banks  may 
have  a  harder  time  prosecut¬ 
ing  fraud  because  the  procedure  typically 
involves  destruction  of  the  original  check. 

Hunt,  for  his  part,  is  optimistic  that  the 
end  results  will  be  worth  the  sweat.  “Check 
21  takes  away  some  of  the  traditional  ways 
we  had  of  spotting  checks— I  can’t  see  its 
color,  I  can’t  feel  the  check— and  it  may  pres¬ 
ent  some  new  threats,  but  it  also  provides 
some  new  opportunities”  to  decrease  check 
fraud  losses,  he  says.  And  that  is  music  to 
the  CSO’s  ears.  ■ 


News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


President  Bush  has  nominated  Judge 
Michael  Chertoff  to  replace  Tom 
Ridge  as  the  Secretary  of  Homeland 
Security.  Chertoff,  a  federal  appeals 
judge  and  former  prosecutor  in  New 
York  City,  was  head  of  the  criminal 
division  of  the  Department  of  Justice  on 
Sept.  11,  2001,  and  he  helped  to  oversee 
the  department’s  antiterrorism  strategy 
in  the  months  that  followed.  Former 
New  York  City  Police  Commissioner 
Bernard  Kerik  withdrew  from  considera¬ 
tion  for  the  post  after  ethical  and  legal 
questions  made  his  confirmation 
unlikely. 

DHS  Inspector  General  Clark  Kent 
Ervin  will  not  be  reappointed  after  his 
term  ends.  In  two  years  on  the  job, 

Ervin  issued  a  number  of  highly  critical 
reports,  including  a  recent  one  that 
cited  major  management  challenges, 
including  the  CIO's  lack  of  the  neces¬ 
sary  authority  to  manage  department¬ 
wide  technology  and  assets,  and 
questions  of  whether  DHS  has  enough 
staff  to  manage  its  $6.8  billion  in 
procurements  from  2003.  Ervin’s 
deputy,  Richard  Skinner,  has  assumed 
duties  as  acting  inspector  general. 

In  late  November,  DHS  and  the 
Ad  Council  unveiled  new  Ready 
Campaign  public  service  adver¬ 
tisements.  The  Ready  Campaign, 
launched  one  year  ago,  is  an  effort  to 
educate  Americans  about  how  to 
prepare  for  and  respond  to  terrorist 
attacks  and  other  disasters.  According 
to  Tom  Ridge,  outgoing  DHS  secretary, 
the  message  of  the  ads  is  simple: 
"Everyone  should  have  a  plan."  The 
TV  advertisements,  aimed  specifically 
at  parents,  are  focused  on  “family 
emergency  plans.”  Some  feature  chil¬ 
dren  asking  such  questions  as,  “How  do 
we  keep  in  touch  with  each  other  if  the 
phones  don't  work?";  “If  we  can’t  make 
it  home,  who’ll  pick  us  up?”;  and 
“Shouldn’t  we  pick  a  place  to  meet?” 


22  www.csoonline.com  February  2005 


ILLUSTRATION  BY  CORBIS;  PHOTO  BY  GETTY  IMAGES 


Advertisement 


X 


- 


Nokia  One  Business  Server 


V  R.O.  Ida,  The  CFO 

> 


Network  Firewall  Appliance 


6820  Messaging  Device 


I 


The  queen  was  in  her  counting  house,  counting  oil  her 
company’s  savings.  More  specifically,  when  we  caught 
up  with  R.O.  Ida,  the  chief  financial  officer,  she  was 
tallying  last  month’s  savings,  the  result  of  a  total  mobility 
solution  the  Queen  of  Lean  has  begun  implementing. 


What’s  up  with  that  jar  full  of  old  rings  and  tarnished  coins 
on  your ... 

Shhhh!  2,997,  2,998,  2,999,  three  thousand  dollars!  Wow,  right  to 
the  bottom  line.  And  we  haven’t  even  reined  in  all  the  runaway 
mobility  expenses  yet.  Oh,  the  jar....  It’s  stuff  I  found  with  my  metal 
detector. 

You’re  smiling,  which  is  odd  for  a  CFO;  are  you  actually 
enjoying  yourself? 

It  sure  beats  signing  expense  reports— they’re  what  I  like  to  call  a 
salesman’s  best  shot  at  creative  writing!  But  what  really  gives  me  a 
kick  is  saving  money,  and  that’s  what  we’re  doing  here  now  with  our 
new  total  mobile  strategy. 

A  strategy  for  all  mobile  services?  Why  not  let  individual 
departments  decide  what’s  best,  or  even  the  individuals 
themselves? 

That’s  what  got  us  into  a  big  mess  in  the  first  place.  Until  recently, 
we  had  five  different  mobile  service  providers.  We  had  hardware  from 
eight  different  vendors.  We  had  incompatible  mobile  email  solutions. 
It  was  hard  for  us  to  guarantee  security  with  such  a  rat’s  nest.  And 
man,  was  it  expensive.  Tell  you  the  truth,  we  had  a  really  hard  time  just 
tracking  the  expense.  To  people  like  me,  that’s  like  not  knowing  the  day 
of  the  week. 

So  what  did  you  do? 

I  was  complaining  about  this  to  a  friend  while  we  were  window 
shopping,  and  she  said,  “Call  Nokia.”  So  I  did.  It  wasn’t  just  a  business 
query— it  was  an  S.O.S.,  because  we  were  spending  a  third  of  our  IT 
budget  on  mobility.  After  routine  IT  maintenance,  we  were  left  with 


zippo  for  strategic  development.  It  was  like  throwing  good  money  into 
a  parking  meter— there  was  just  no  return. 

What  did  Nokia  do  for  you? 

For  starters,  they  helped  us  develop  a  total  mobile  connectivity 
solution,  with  uniform  high-speed  remote  access  to  give  our  road 
warriors  the  info  they  need  no  matter  where  they  are,  and  quickly.  They 
layered  in  just  the  right  amount  of  security,  including  a  secure  VPN.  And 
they  gave  our  administrators  real  easy-to-use  tools  to  assign  access 
privileges  based  on  user  identity.  This  was  our  foundation. 

Then  what? 

Slowly  but  surely,  we  developed  a  plan  with  Nokia  to  get  rid  of  a 
lot  of  the  incompatible,  clunky  mobile  hardware  and  replace  it  with 
intelligent  Nokia  devices.  They  are  built  to  work  seamlessly  together, 
which  means  fewer  calls  in  the  middle  of  the  night  from  far-flung 
corners  of  the  globe  to  our  help  desk.  And  less  help-desk  expense.  With 
their  guidance,  our  mobile  workers  get  just  what  they  need,  but  no 
more.  I  like  that.  Now  we  inventory  all  new  devices,  and  maintenance 
and  replacement  schedules  are  predictable.  I  really  like  that. 

Anything  else? 

You  bet.  Everyone  knows  the  killer  app  today  is  email.  It’s  the 
lifeblood  for  our  mobile  workers.  Nokia  worked  with  us  to  provide  a 
uniform,  simple,  and  highly  reliable  mobile  email  solution  that  has 
saved  us  big  bucks.  They  helped  us  fine-tune  the  solution  to  the 
different  devices  our  IT  guys  deploy,  because  some  road  warriors  like 
to  use  their  PDAs  for  mail,  others  like  their  laptops,  and  still  others 
prefer  their  smart  phones.  Me— I  just  love  the  dollar  savings  that  come 
from  a  single,  predictable,  and  reliable  mobile  email  solution. 

Sounds  like  Nokia  helped  you  find  a  key  to  the  efficiency 
kingdom. 

Yeah,  and  I  didn’t  have  to  use  my  metal  detector  to  find  it.  Now,  if 
you’ll  excuse  me,  it’s  lunch  time  and  I’d  like  to  balance  my  checkbook. 
By  the  way,  the  time’s  out  on  your  parking  meter. 


Interviewer  Bill  Laberis  was  editor-in-chief  of  Computerworld  for  ten  years  (1986-1996).  He  is  president  of  Bill  Laberis 
Associates,  a  custom  publishing  and  content  company  (www.laberis.com).  His  columns,  Webcasts,  supplements  and 
magazines  are  well-known  and  respected  throughout  the  high-tech  industry. 


JfetworkWortd 

fomo^EDi^ou?Tio!Isn 


Learn  how  to  mobilize  your  team  and  increase  business  productivity. 
Download  “The  Anytime,  Anyplace  World”  white  paper. 

nokiaforbusiness.com 


IMOKIA 

Connecting  People 


modifying  policies  and  procedures,  conducting  tabletop 
exercises,  and  applying  technologies  (card  access, 
CCTV,  intrusion  detection  systems)  at  facilities  deter¬ 
mined  to  be  “critical”  to  the  company. 


Reporting, 
Regulating  and 
Meiging 


What  impact  is  all  the  consolidation  of  energy 
companies  through  mergers  having  on  security? 

Mergers  have  slowed  progress  in  some  areas  due  to  the 
new  senior  management  team  coming  in  and  identifying 
what  their  priorities  will  be  and  how  they  will  achieve 
them.  In  most  cases,  security  projects  and  initiatives 
have  been  placed  in  abeyance  until  strategic  plans  are 
finalized.  However,  in  all  instances  where  government 
regulatory  initiatives  have  been  identified,  companies 
have  responded  favorably  to  meet  the  new  standards. 


George  Miserendino,  owner  and  president  of  Triton  Security 
Solutions,  answers  readers’  questions  about  securing  utilities 


EORGE  MISERENDINO  IS  THE  OWNER  and  president 
of  security  consultancy  Triton  Security  Solutions,  which  specializes  in  infra¬ 
structure  protection  strategies  for  the  electricity,  gas 
and  water  industries.  He  also  has  30  years  of  experi¬ 
ence  in  security  services  management.  CSO  con¬ 
tacted  him  to  tap  his  extensive  industry  expertise  on 
matters  of  compliance,  consolidation  and  critical 
infrastructure. 

Where  do  you  think  the  infrastructures  are  in 
terms  of  using  “intelligent  video”  for  protection 
of  the  buffer  zones? 

The  BZPP  (Buffer  Zone  Protection  Plan)  is  an  initia¬ 
tive  of  the  Department  of  Homeland  Security  that 
specifies  the  types  of  equipment  to  be  used  near 
identified  “critical  assets.”  I  envision  that,  during 
2005,  this  DHS  project  may  receive  considerable 
attention  from  the  various  critical  infrastructures 
where  it  will  be  applied  to  assist  in  countersurveillance  and  incident  deterrence 
initiatives. 

Where  do  you  think  corporate  security  should  report  in  a  utility?  And  what 
should  be  the  relationship  between  physical  security  and  data  security? 

Physical  and  data  security  are  partnering  on  a  more  frequent  basis.  The  NERC 
Cyber  Security  Standards  will  help  facilitate  a  clearer  working  relationship. 
Reporting  relationships  in  the  utility  industry  vary  broadly,  with  security  func¬ 
tions  being  located  in  shared  services,  administrative  services,  legal  departments, 
human  resources  and  (in  a  few  rare  instances)  operating  line  organizations. 

The  reporting  location  is  not  as  important  as  the  proactive  support  of  corporate 
senior  management,  specifically  the  CEO,  COO,  CIO  and  so  on. 


Are  we  safer  because  of  this  regulation,  or  would  we 
have  gotten  there  without  it? 

Without  a  doubt,  we  are  significantly  safer  today  than 
we  were  prior  to  9/11  as  a  result  of  a  number  of  regula¬ 
tory  initiatives.  These  include  bulk  elec¬ 
tric  power  transmission,  dams,  facilities 
on  navigable  waterways  and  so  on. 

What  should  companies  be  doing  that 
they  are  not?  What  should  have  been 
required  that  was  not? 

Companies  should  continue  to  validate 
their  processes  to  identify  critical  facili¬ 
ties,  assets  and  systems.  In  this  regard, 
a  better  understanding  of  these  systems 
and  their  interdependencies  with  other 
infrastructures  should  be  further 
researched  and  understood. 

You  were  at  this  before  the  phrase 
“critical  infrastructure”  was  coined.  What  have  been 
the  most  significant  changes  you’ve  seen  that  have 
improved  security? 

The  development  of  companywide  “security  councils”  to 
address  and  validate  security  program  initiatives.  Gen¬ 
erally,  these  councils  are  made  up  of  senior  manage¬ 
ment  representatives  who  are  subject-matter  experts, 
representing  their  respective  organizations.  These 
councils  have  been  successful  in  raising  security  aware¬ 
ness  issues  and  opportunities  across  many  corporate 
business  functions,  thereby  facilitating  progress.  ■ 


Ask  Your  Peers 


How  well  is  the  industry  responding  to  the  legislation?  Are  companies 
making  their  deadlines  and  actively  complying? 

Recent  surveys  indicate  that  both  the  electric  and  gas  sectors  are  meeting 
FERC,  Coast  Guard,  TSA  and  NERC  security  initiatives.  Companies  are 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to  hear  from?  Send 
your  thoughts  to  Departments  Editor  Kathleen  S.  Carr  at  kcarr@cxo.com.  See 
what  your  peers  are  discussing  at  www.csoonline.com/counsel. 


24  www  csoonline.com  February  2005 


Demand  Excellence 


Information  Systems 
Audit  and  Control 
Association ® 


For  more  than  30  years  ISACA  has  been  certifying 
professionals  with  its  flagship  certification,  CISA 
(Certified  Information  Systems  Auditor"),  the  globally 
accepted  standard  among  IS  audit,  control  and 
security  professionals.  In  2002,  ISACA  introduced 
CISM"  (Certified  Information  Security  Manager"), 
a  groundbreaking  credential  specifically  designed  for 
information  security  professionals  who  manage  an 
information  security  function  of  an  enterprise  or  have 
information  security  management  responsibilities. 
Together  these  programs  have  certified  over 
40,000  people  worldwide. 


CERTIFIED  INFORMATION 
SYSTEMS  AUDITOR 


CERTIFIED.  INFORMATION 
SECURITY  MANAGER.  T 


International  exposure,  recognition  of  advanced 
job  skills,  participation  with  a  global  leader  in 
IT  certification-all  of  these  benefits  are  obtained 
through  achievement  of  an  ISACA  certification. 
For  more  information,  visit  the  ISACA  web  site  at 
www.isaca.org/certification. 


'u  '.'Vi?  , 


Register  online  now  for  the 
11  June  2005  exams  at 
www.  isaca .  o  rg/exa  m  rag 


'imm. 


■  ;  .7  ; 

'  77" 

S' 


Cover  Story 


What  does  privacy  have  to  do  with  security?  Plenty. 
From  the  federal  government  to  the  private  sector, 
CPOs  are  emerging  as  important  players.  It’s  essential 
that  CSOs  cultivate  common  ground  with  privacy 
executives.  By  Sarah  D.  Scalet 


IN  THIS  STORY: 

Why  chief  privacy 
officers  should 
be  on  CSOs' 
radars  ■  How 
CPOs  influence 
business  deci¬ 
sions  ■  How  to 
find  common 
ground  with 
CPOs 


it  was  the  annual  crunch  time  between  Thanksgiving  and 
the  new  year,  and  Nuala  O’Connor  Kelly  had  just  sent  to  the  printer 
the  first-ever  report  to  Congress  by  a  chief  privacy  officer. 

This  was  it,  the  historic  report— a  40-page  description  of  what 
O’Connor  Kelly  had  been  doing  during  her  first  year  as  the  first  CPO 
of  the  U.S.  Department  of  Homeland  Security.  Like  addressing  con¬ 
cerns  about  DHS’s  policies  with  privacy  officers  from  other  countries. 
Examining  the  department’s  growing  use  of  biometrics.  And  reading- 
irate  e-mails  from  the  public  about  controversial  initiatives  like  the 
Transportation  Security  Administration’s  passenger  screening  pro¬ 
gram.  If  O’Connor  Kelly  was  nervous  about  the  grilling  she  was  likely 


PHOTO  BY  DANUTA  OTFINOWSKI 


February  2005  www.csoonline.com 


Privacy 


to  get  once  members  of  Congress  got  their 
mitts  on  her  report,  she  wasn’t  letting  on. 

“It’s  actually  a  great  moment  for  the  [pri¬ 
vacy]  office  to  sit  back  and  take  stock  of  where 
we  are  now  and  where  we’re  going  for  the  next 
two,  three,  four,  five  years,”  says  O’Connor 
Kelly,  dashing  from  one  meeting  to  the  next 
with  one  of  her  staff  members. 

At  the  time,  O’Connor  Kelly  was  the  only 
federal  government  CPO  whose  position  was 
mandated  by  law  and  who  was  required  to 
file  an  annual  report  to  Congress.  But  this 
seemed  on  the  brink  of  change.  Congress’s 
consolidated  2005  appropriations  bill,  signed 
by  President  Bush  in  December,  contains  a 
provision  that— depending  on  how  the  White 
House’s  Office  of  Management  and  Budget 
interprets  it— would  create  a  handful  or  more 
of  CPOs  at  federal  agencies. 

These  new  CPOs  would  be  charged  with 
protecting  privacy  within  their  own  agencies, 
evaluating  proposed  laws  and  regulations, 
training  employees  about  privacy  policies  and 
ensuring  compliance  with  applicable  laws. 
They  would  have  to  report  on  their  progress 
annually  to  Congress.  And  every  other  year, 
their  agency’s  Inspector  General  would  have  to 
hire  “a  recognized  leader  in  privacy  consult¬ 
ing”  to  do  an  independent  review  of  their  pro¬ 
gram’s  effectiveness. 

The  law  would  do  a  lot  more  than  create  a 
crew  of  federal  CPOs  in  O’Connor  Kelly’s  image. 
In  the  private  sector,  government  demand  for 
privacy  expertise  is  expected  to  lead  to  greater 
awareness,  more  stringent  certifications  and 
stricter  standards  around  privacy. 

And  for  CSOs,  it  ensures  that  their  best 
friend  and  nemesis,  the  CPO,  is  not  going  away. 

“There  are  some  conflicts  between  the 
philosophical  approaches  to  the  two  posi¬ 
tions,”  says  Lynn  Mattice,  vice  president  and 
CSO  at  Boston  Scientific.  “The  CSO’s  respon¬ 
sibility  is  to  ensure  that  the  business  enterprise 
is  safeguarded,  and  the  privacy  officer  is  pri¬ 
marily  concerned  with  safeguarding  the  indi¬ 
vidual’s  privacy.  That’s  where  you  can  have 
some  points  of  contention.” 

The  CSO  and  CPO  are  necessary,  if  some¬ 
times  uncomfortable,  bedfellows.  Although 
they  may  be  at  odds  when  it  comes  to  issues 
such  as  surveillance  and  background  investi¬ 
gations,  they  rely  upon  one  another  in  a  fun¬ 
damental  way:  the  CPO  for  help  protecting 


information  that  the  company  has  promised  is 
private,  and  the  CSO  for  help  articulating  the 
need  for  information  assurance.  Looking  at 
one  another  is  a  little  like  looking  in  a  fun- 
house  mirror.  The  image,  though  familiar,  is 
distorted.  Understanding  the  nature  of  these 
distortions  is  a  key  to  both  groups’  success. 

Here,  then,  are  five  things  about  the  role  of 
chief  privacy  officer  that  every  CSO  should 
understand. 


IThe  CPOs  history 
parallels  the  CSO  s  own 
emergence. 

FLASH  BACK  TO  THE  MID  TO  LATE  1990S, 

when  businesses  first  started  hiring  CPOs. 
The  new  position  was  hailed  as  a  sign  that 
corporate  America  was  going  to  start  paying 
attention  to  the  privacy  of  both  employee  and 
customer  information.  Somebody  finally  gave 
a  damn. 

Sound  familiar?  That’s  because  the  emer¬ 
gence  of  the  CPO  has  much  in  common  with 
that  of  the  CSO. 

Back  then,  the  privacy  provisions  of  the 
Gramm-Leach-Bliley  Act  for  the  financial 
services  industry  were  just  taking  effect.  In 
health  care,  the  privacy  rule  of  the  Health 
Insurance  Portability  and  Accountability  Act 
even  stipulated  that  organizations  had  to 
name  a  privacy  officer.  Hiring  a  CPO  became 
either  a  regulatory  necessity  or  a  way  of  stick¬ 
ing  a  flag  in  the  ground  that  said,  “Customer 
data  protected  here.” 

Then,  however,  the  role  seemed  to  falter. 
Starting  with  a  souring  economy  and  culmi¬ 
nating  with  the  aftermath  of  the  9/H  attacks, 
companies  began  diverting  money  away  from 
privacy  and  toward  security  and  risk  man¬ 
agement. 

“The  abundance  of  resources  simply  dried 
up,”  recalls  Alan  Westin,  the  well-known 
cofounder  of  the  think  tank  Privacy  &  Amer¬ 
ican  Business,  which  founded  a  trade  group, 
the  Association  of  Corporate  Privacy  Officers 
(ACPO).  “When  we  would  talk  to  many  of  the 
privacy  officers  that  had  been  active,  they 
would  come  in  and  say  their  budget  had  been 
cut;  their  staff  had  been  cut.” 

Now,  however,  observers  such  as  Westin 
are  optimistic  of  a  second  coming  for  CPOs. 


Growing  concern  about  identity  theft  is  bring¬ 
ing  privacy  to  the  forefront,  and  lawmakers 
are  responding.  Meanwhile,  the  International 
Association  of  Privacy  Professionals  (IAPP), 
created  when  Westin’s  group  merged  with 
another  privacy  association,  has  issued  the 
profession’s  first  certification.  The  test  covers 
everything  from  legal  compliance  to  work¬ 
place  screening  to  website  disclosure.  It’s  not 
a  technical  certification,  but  it  does  require  a 
basic  understanding  of  how  data  is  handled  by 
IT  systems. 

“This  field  is  coming  to  a  certain  maturity,” 
says  Harriet  Pearson,  the  CPO  of  IBM,  who 
became  a  certified  information  privacy  pro¬ 
fessional  in  the  first-ever  IAPP  test.  Now,  she 
says,  “You  can  add  CIPP  after  my  name.” 

Of  course,  not  all  the  people  earning  this 
certification  or  serving  as  privacy  officers  are 
true  strategic  privacy  executives— just  as  not 
all  those  with  CISSPs,  CPPs  or  the  “security 
officer”  moniker  are  true  strategic  security 
executives.  But  for  Pearson,  that’s  beside  the 
point.  She  points  to  IAPP’s  membership— 
almost  1,500— as  a  positive  sign. 

“To  me,  that’s  a  heck  of  a  lot  of  people 
who’ve  declared  that  they  want  to  join  us,” 
Pearson  says.  She,  for  one,  thinks  privacy  pro¬ 
fessionals  are  here  to  stay. 


The  CPO  role  is  as 
much  about  business 
as  privacy. 


SO  WHO  EXACTLY  ARE  THESE  CHIEF  PRIVACY 

officers,  the  CSO’s  brethren  in  information 
protection?  Even  as  the  CPO  role  takes  root, 
it  is  not  evolving  as  many  privacy  activists 
hoped  it  might.  Rather  than  acting  as  staunch 
protectors  of  privacy  at  any  cost,  CPOs  are 
finding  that  in  order  to  be  successful,  they 
must  instead  be  savvy  negotiators,  navigating 
the  conflicting  interests  of  business  needs, 
customer  expectations  and  legal  requirements. 

Whereas  security  officers  are  positioning 
themselves  as  experts  on  risk  rather  than  secu¬ 
rity,  CPOs  are  positioning  themselves  as  medi¬ 
ators,  not  protectors,  in  regard  to  privacy. 

This  means  that  in  the  CPO,  security  exec¬ 
utives  will  find  an  ally  who  has  similar  con¬ 
cerns  about  gaining  a  reputation  as  someone 
who  always  puts  the  brakes  on  business. 


28  www.csoonline.com  February  2005 


PHOTO  BY  BOB  STEFKO 


“Nobody  yet  that  I’m 
aware  ot  is  planning 
the  widespread  use  of 
these  RFID  tags  on 
any  consumer 
products,  but  you  still 
see  the  concern  about 
tracking  consumers  by 
satellite;’  says  Sandy 
Hughes,  global  privacy 
executive  at  Procter  & 
Gamble.  “And  because 
they’re  concerned 
about  it,  we  have  to 
address  it.” 


Privacy 


Consider  for  a  moment  Sandy  Hughes,  the 
global  privacy  executive  for  the  consumer 
goods  giant  Procter  &  Gamble.  Hughes  is 
spending  a  lot  of  her  time  these  days  talking 
about  radio  frequency  ID  tags,  or  RFIDs. 
That’s  no  surprise,  since  there’s  no  more  con¬ 
tentious  topic  in  privacy  circles  right  now  than 
the  uses  and  possible  misuses  of  these  inven¬ 
tory  tracking  devices.  Hughes’s  goal,  however, 
isn’t  to  determine  whether  Procter  &  Gamble 
should  use  RFIDs.  It’s  to  find  the  right  way  for 
P&G  to  use  RFIDs. 

Part  of  that  involves  reassuring  the  public. 
“Nobody  yet  that  I’m  aware  of  is  planning  any 
widespread  use  of  these  tags  on  any  consumer 
products,  but  still  you  see  the  concern  about 
[companies  doing  things  like]  tracking  con¬ 
sumers  by  satellite,”  says  Hughes,  who’s 
involved  with  EPCglobal,  a  nonprofit  industry 
association  developing  standards  for  the  use  of 


RFIDs  for  electronic  product  codes.  “That’s 
not  even  in  the  plan,  but  [customers  are]  con¬ 
cerned  about  it.  And  because  they’re  con¬ 
cerned  about  it,  we  have  to  address  it.” 

“Procter  &  Gamble  has  to  move  forward 
for  competitive  reasons  and  implement 
RFIDs,”  explains  Stephanie  Perrin,  a  senior 
fellow  for  the  Electronic  Privacy  Information 
Center  (EPIC),  a  watchdog  group.  “If  Sandy 
Hughes  says,  ‘We’re  not  ready  for  this  RFID 
thing,’  that’s  going  to  get  nowhere  with  the 
board.” 

Hughes’s  mission,  then?  To  help  her  com¬ 
pany  formulate  a  business  strategy  that  takes 
those  concerns  into  account. 

CSOs  have  heard  that  sentiment  some¬ 
where  before. 

Here’s  another  snapshot.  At  E-Loan,  an 
Internet  startup  that  sold  $153  million  in 
loans  in  2003,  CPO  Tess  Koleczek  says  she  is 


focused  on  solutions,  not  problems.  She  can’t 
just  say  no. 

“If  something  comes  up  that  might  com¬ 
promise  our  policy,  I  can’t  go  in  and  say,  You 
can’t  do  that,”’  Koleczek  says.  “I  can’t  be  a  cop. 
I  have  to  come  up  with  a  couple  different  solu¬ 
tions.” 

For  instance,  if  a  business  partner  is  asking 
for  information  about  customers,  Koleczek 
says  it’s  her  job  to  try  to  find  another  solution. 
“I  say,  ‘Why  do  you  want  all  that  information 
on  a  specific  customer?”’  she  explains.  “They 
say,  ‘Oh,  we  don’t.  We  want  the  information 
on  what  [customers  in  general  are]  doing.’ 
Then  I  might  say,  ‘Why  don’t  we  give  you  that 
aggregate  information?’  You  just  have  to  get  to 
the  core  of  what  they’re  asking  for.  Why  do 
they  want  the  information  and  how  can  we 
help  them  get  what  they  need  out  of  it?” 

As  with  the  CSO,  the  success  of  the  CPO 


If  something  comes  up  that  might 
compromise  our  policy,  I  can’t  go  in  and  say. 


come  up  with  a  couple  dnterent  s< 
says  E-Loan  CPO  less  Koleczek. 


’  •  ;  •  •  »  >  ••  V 


■ 

111  v  -V.  *  '  • 


depends  on  his  or  her  ability  to  make  a  busi¬ 
ness  case  for  the  protection  of  information. 
“There  have  been  some  CPOs  who  have  really 
done  a  very  good  job  in  showing  how  privacy 
affects  the  bottom  line,”  says  Ari  Schwartz, 
associate  director  of  the  Center  for  Democracy 
&  Technology,  a  consumer  advocacy  group. 
“Those  have  been  the  ones  that  have  been 
most  successful.” 

But  this  business  focus  has  made  some  in 
the  CPO  community  wary  even  of  calling 
themselves  “privacy  advocates.” 

“‘Advocacy  seems  to  be  sometimes  like  pro¬ 
testers  or  flag-burners,”  P&G’s  Hughes  says 
carefully  when  asked  how  she  views  her  mis¬ 
sion.  “But  [I’m  an]  advocate  for  doing  the 
right  thing,  absolutely.” 

Perhaps  for  the  survival  of  the  role,  that’s  a 
necessary  caveat.  “Privacy  officers  aren’t  nec¬ 
essarily  civil  rights  activists,”  points  out  Brian 
Tretick,  who  leads  privacy  services  for  the 
Americas  at  Ernst  &  Young.  “These  are  busi¬ 
nesspeople,  business  executives,  who  are  look¬ 
ing  out  for  the  success  of  the  company.  And  if 
that  success  requires  the  use  of  information, 
they  want  to  make  sure  it’s  done  according  to 
policy  and  the  rights  and  obligations  of  its 
subjects.” 

CPOs  are  working  within  the  system. 


3 


In  the  data  world, 
security  and  privacy  go 
hand  in  hand. 


NOT  ONLY  HAVE  THE  ROLES  OF  CPO  AND 

CSO  grown  up  in  similar  ways,  within  the  nar¬ 
row  confines  of  the  information  technology 
world,  the  two  disciplines  are  tightly  inter¬ 
twined.  As  they  say,  you  can’t  have  privacy 
without  security.  It  doesn’t  do  much  good  for 
a  company  to  promise,  for  instance,  that  it 
won’t  sell  customer  information  to  a  market¬ 
ing  company  if  hackers  can  access  all  the  files 
anyway. 

But  this  close  association  leads  to  confu¬ 
sion.  “It’s  a  bit  deceptive  because  sometimes 
privacy  will  surface  as  a  security  error,”  EPIC’s 
Perrin  says.  What’s  more,  the  privacy  officer’s 
job  often  begins  with  a  focus  on  IT,  and 
morphs  from  there.  That’s  what  happened  to 
Jay  Cline,  anyway,  when  he  first  took  over  as 
data  privacy  officer  at  the  Carlson  Cos.  The 


Minneapolis-based  company,  which  operates 
Radisson  Hotels,  had  Cline’s  job  located 
within  the  CIO’s  office,  and  his  focus  was  on 
information  technologies.  The  company  had 
determined  that  strong  information  security 
was  a  core  foundation  of  privacy. 

“Data  privacy  and  data  security  have  one 
thing  in  common:  data,”  Cline  says.  “For  us, 
what  that  meant  was,  we  needed  to  find  out 
where  the  data  was  and  who  was  responsible 
for  it.” 

Now  that  the  company’s  information  secu¬ 
rity  program  has  matured  and  Cline  knows 
the  answers  to  those  questions,  he  is  part  of 
the  audit  function  rather  than  the  IT  depart¬ 
ment.  But  Cline’s  manager,  Director  of  IT 
Audit  Blake  Pool,  is  responsible  for  auditing 
information  security  as  well  as  data  privacy, 
and  both  men  still  see  the  disciplines  as  closely 
aligned. 

“Ultimately  you’re  striving  for  the  same 
thing:  to  find  the  right  way  to  optimize  the  use 
of  information  for  the  betterment  of  the  busi¬ 
ness,”  Pool  says.  “[Security  and  privacy]  may 
have  different  angles,  but  they’re  really  try¬ 
ing  to  arrive  at  the  same  answers.  If  there  is  a 
tension,  I  think  it’s  a  healthy  one.” 

“We  [security  and  privacy]  work  closely 
together  still,”  Cline  says.  This  is  especially 
the  case  on  issues  such  as  creating  the  com¬ 
pany’s  security  and  privacy  policies  and  vetting 
vendors  to  ensure  that  they  will  adequately 
protect  information. 

But  Cline’s  prediction,  at  least,  is  that  the 
more  mature  both  security  and  privacy  get,  the 
more  separate  they  are  bound  to  become.  “Once 
the  company  knows  where  the  data  is  and  who’s 
responsible  for  it,  the  overlap  between  the  roles 
will  start  to  diminish,”  he  says. 

Maybe  the  easiest  way  to  think  of  all  this  is 
that  security  is  just  step  one  to  privacy. 

Or  a  component  of  it,  anyway.  For  instance, 
when  E-Loan  decided  to  send  some  of  its  loan 
processing  to  offshore  outsourcers,  CPO 
Koleczek  worked  on  developing  a  policy  that 
would  give  consumers  the  option  of  keeping 
their  data  in  the  United  States.  Meanwhile, 
Steve  Abatangle,  director  of  information  secu¬ 
rity,  worked  on  tying  down  the  information 
that  did  go  overseas  as  much  as  possible  so 
that  workers  in  other  countries  could  only 
view,  not  copy,  customer  data. 

“A  good  chunk  of  privacy  is  about  securing 


the  information,  even  a  little  more  broadly 
than  we  allow  our  CISOs  to  secure  informa¬ 
tion,”  Ernst  &  Young’s  Tretick  says.  “We  want 
the  CISOs  typically  to  protect  access  to  infor¬ 
mation,  and  to  allow  access  only  to  people 
who  are  authorized.  But  [with  the  CISO],  we 
never  get  to  the  granularity  of:  What  is  appro¬ 
priate  use?” 

The  more  the  CPO  gets  into  issues  of  fair 
use,  the  more  his  job  veers  away  from  security. 
And  the  more  the  CSO  focuses  on  security, 
broadly  writ,  the  more  vivid  the  differences 
between  security  and  privacy  become. 


4  Outside  of  the  data 
world,  security  and 
privacy  are  tough  to 
reconcile. 


LET’S  RIFF  ON  THIS  POINT  FOR  A  MINUTE. 

Suppose  that  an  employee  is  about  to  be  fired. 
And  suppose  that  employee  may  have  spent 
the  better  part  of  the  past  week  copying  files 
off  the  server  and  onto  diskettes.  Is  it  a  viola¬ 
tion  of  the  employee’s  right  to  privacy  to  mon¬ 
itor  how  he’s  spending  his  megahertz?  Or  is  it 
a  risk  to  the  company’s  security  stance  not  to 
know  that  the  employee  has  been  stealing  cor¬ 
porate  secrets? 

Oh,  and  what  if  the  employee  isn’t  in  the 
United  States,  but  in  a  country  with  stronger 
employee  protection  laws? 

In  scenarios  such  as  this,  the  philosophical 
divide  between  CPOs  and  CSOs  really  begins 
to  manifest  itself. 

‘You  get  into  a  lot  of  discussions,”  acknowl¬ 
edges  Boston  Scientific’s  Mattice,  after  posing 
the  preceding  scenario  as  an  example  of  the 
kind  of  conversation  he  might  have  with  his 
legal  department  over  privacy  issues.  (His 
inclination,  by  the  way,  is  that  if  employees  are 
using  company  resources,  why  shouldn’t  the 
company  be  able  to  monitor  what  they’re 
doing?) 

Mattice,  and  others,  insist  that  in  their  own 
particular  case,  the  relationship  between  secu¬ 
rity  and  privacy  is  amiable.  ‘These  are  business 
issues,  and  there’s  certainly  nothing  personal,” 
he  says.  “I  hope  they’re  not  contentious  dis¬ 
cussions— although  I’m  very  passionate  about 
what  I  do,  and  I  love  to  debate.” 

But  it  would  be  naive  to  think  that  such 


PHOTO  BY  RON  HOLTZ 


February  2005  www.csoonline.com  31 


Privacy 


relationships  are  always  harmonious.  The  fact 
is:  CSOs  and  CPOs  come  from  very  different 
cultures.  While  many  CSOs  have  a  back¬ 
ground  in  law  enforcement,  CPOs  tend  to 
come  up  through  marketing.  The  two  don’t 
always  see  eye  to  eye. 

“Security  officers  are  a  bit  like  lawyers  in 
that  there’s  no  piece  of  information  they  don’t 
think  they  should  have,”  EPIC’s  Perrin  says. 
“They  want  to  know  what’s  going  on.  If  they 
have  video  surveillance  tapes,  they  just  want  to 
keep  them  in  case  they  need  to  know  what’s 
going  on.  A  privacy  person  will  look  at  those 
videotapes  more  from  the  individual’s  point  of 
view.  Security  goes  in  the  opposite  direction  of 
privacy  in  many  respects.” 

Yet  many  in  the  privacy  community  are  try¬ 
ing  to  find  common  ground  between  security 
and  privacy,  even  in  these  murky  spaces.  This 
is  especially  true  in  the  government,  where 
CPOs  find  themselves  under  a  steady  barrage 
of  attacks  from  observers  who  believe  that  the 
government  is  trampling  on  citizens’  privacy 
in  the  name  of  national  security.  Indeed,  the 
topic  is  one  of  O’Connor  Kelly’s  favorite  talk¬ 
ing  points. 

“I’d  like  to  strike  the  word  balance  from 
everyone’s  vocabulary,”  O’Connor  Kelly  says 
passionately,  when  asked  about  the  inherent 
conflicts  between  security  and  privacy.  “I  don’t 
think  privacy  and  security  are  an  either/or 
position.  People  always  view  the  dichotomy— 
is  it  privacy  or  security?— and  I  say  it’s  not 
about  one  or  the  other.” 

For  instance,  much  of  O’Connor  Kelly’s 
attention  in  the  past  year  has  been  on  DHS’s 
controversial  US-Visit  program,  which  uses 
biometric  identifiers  to  screen  foreign  visitors 
to  the  United  States.  The  program  has  been 
lambasted  by  civil  rights  activists  as  an  inva¬ 
sion  of  privacy.  But  O’Connor  Kelly  thinks 
that  the  privacy  department,  by  being  involved 
with  the  program,  can  actually  help  improve 
the  effectiveness  of  the  system  from  a  security 
perspective. 

“I’m  not  positioning  the  privacy  officer  as 
against  any  collection  of  information,  but  I 
think  the  collection  of  information  has  to  be 
well-thought-out,  limited  and  relevant  to  the 
information  at  hand,”  O’Connor  Kelly  says. 
“We’re  actually  helping  fine-tune  programs 
to  make  better  decisions  for  privacy,  and  to 
make  better  programs  themselves.  We  can  be 


STUCK  WITH  EACH  OTHER 

SEVEN  REASONS  CSOs  AND  CPOs  ARE  BOUND 
TO  WORK  TOGETHER 

1.  CPOs  and  CSOs  share  a  primary  goal  of 
protecting  information . 

2.  The  success  of  both  executives  lies  in  their 
ability  to  make  a  business  case  for  protecting 
information.  Neither  wants  to  be  seen  as 
putting  the  brakes  on  business. 

3.  Going  forward,  privacy  and  security 
could  both  end  up  in  a  risk  management 
department. 

4.  Both  sets  of  executives  have  roots  in  the 
information  technology  department,  because 
of  their  involvement  with  how  information  # 
moves  throughout  the  company,  but  are  trying 
to  broaden  their  scope. 

5.  Sometimes  the  same  person  is  in  charge  of 
both  security  and  privacy. 

6.  CSOs  rely  on  CPOs  to  help  justify  the  need 
for  information  security  to  protect  customer 
and  employee  information. 

7.  CPOs  relv  on  CSOs  to  prevent  accidental  or 
malicious  disclosure  of  private  information. 


enhancers  of  the  business.” 


5  Security  and  privacy 
executives  will  depend 
upon  each  other  for 


success. 


ONE  THING  IS  CERTAIN:  GOING  FORWARD, 

the  two  executives  will  continue  to  be  depend¬ 
ent  upon  each  other— however  that  future 
may  look. 

“It’s  my  contention,  frankly,  that  the  role  of 
the  CPO  will  transition,  and  we  won’t  recog¬ 
nize  the  CPO  of  the  future  in  the  way  we  will 
today,”  says  Richard  Purcell,  a  former  CPO 
of  Microsoft  who  went  on  to  found  a  consul¬ 
tancy,  the  Corporate  Privacy  Group.  “Secu¬ 
rity  and  information  management  and  legal 
compliance  will  combine  into  a  differently 
structured  role  than  we  see  today.  I  think  that 
the  two  groups  not  only  have  to  work  together 
but  that  they  will  become  a  single  group.”  This 
may  happen  under  the  umbrella  of  emerging 


risk  management  departments. 

Or  it  may  be  that  the  CPOs  themselves 
morph.  O’Connor  Kelly,  for  one,  already  won¬ 
ders  if  “privacy”  might  be  too  confining  a  con¬ 
cept  for  what  she  does. 

‘Tears  ago,  people  said  privacy  might  be 
the  wrong  word,  [that]  it’s  really  about  infor¬ 
mation  management,”  she  says.  “I  think  more 
and  more  that  may  be  the  right  way  to  look  at 
it.  I  wouldn’t  say  that  privacy  is  the  wrong 
word,  but  I  think  that  privacy  may  be  limited. 
We’re  looking  at  bigger  issues  of  the  respon¬ 
sible  use  of  information.” 

That’s  a  conversation  that  the  CSO  cer¬ 
tainly  doesn’t  want  to  miss.  ■ 

E-mail  Senior  Editor  Sarah  D.  Scalet  at  sscalet@cxo.com. 


Give  It  to  Them  Straight 


For  tips  on  crafting  a  privacy  policy  that  your  customers 
will  actually  understand,  read  "Serving  Up  Your  Cus¬ 
tomers"  from  the  January  2004  issue  of  CSO.  Find  it  at 

www.csoonline.com/printlinks. 


32  www.csoonline.com  February  2005 


Knowing 

that  you're  managing  risk. 


Knowing  is  more  than  being  aware.  It's  about  being  able  to 
determine,  prioritize  and  deliver  what  and  how  much  protection 
is  needed  and  where.  You  can't  eliminate  risk  completely,  but 
you  can  manage  it  and  reduce  your  exposure  time. 

NetlQ  Security  Management  is  the  only  way  to  manage  risk, 
assure  compliance  and  secure  assets.  Our  knowledge-based 

•  •  r.;.  ■  ;  •  .  v  •  ‘ C 

software  solutions  are  intelligent  and  simple  to  use.  Only  NetlQ, 
a  leader  in  systems  and  security  management,  gives  you  the 
assurance  of  knowing  that  risk  is  mitigated  and  your  enterprise 
is  secure,  available  and  performing. 


Knowing  is  everything! 


WWW  .111' !l(  I 

; 


: ,  v 


©  Copyright  ?()0h  NoilO  Corporation?  All  lights  reserved  NotK)  and  rho  No/ JO  Idgc egi si  eredt i.k tomai k (he 


'  V'  ■  /•  ■" 

...  i  m*  .••• 


CSOs  cou  nt  on  physical  security  metrics  to  evaluate  their 

organizations  ’performance  and  to  communicate  security’s 
value  to  other  business  executives _ By1 Thomas  Wailgnm 

METRICS  ARE  MEASURES  that  matter,  providing  evidence  of  per¬ 
formance  both  to  experts  and  to  interested  observers. 

That’s  why  CSOs  are  hungry  for  them.  It’s  not  good  enough  to  maintain  a 
quiet,  reliable  security  service  until  something  goes  wrong.  Security  executives 
want  to  understand  how  their  operations  are  working  and  how  they  can 
improve.  CEOs  want  to  know  how  the  security  function  is  faring  by  looking  at 


34  www.csoonline.com  February  2005  photo  by  gary  benson 


IN  THIS  STORY: 

What  metrics  CSOs 
use  ■  What  it  means 
to  their  operations  ■ 
Why  they  talk  to  busi¬ 
ness  leaders  about 
what  they  are  tracking 


STARBUCKS 
METRICS  INSIGHT: 

Rigorous  t nich  ing  ofproeessi 
leads  to  improvements  and 
business  value. 


Metrics 


the  department’s  data.  And  metrics  can  pro¬ 
vide  the  hard  numbers  and  context  on  the 
performance  of  the  security  function,  prov¬ 
ing  that  nothing  happening  was  the  direct 
result  of  an  effective  security  management 
program. 

Key  metrics  vary  by  CSO,  organization  and 
industry.  What’s  important  to  energy  provider 
Georgia  Power  (federal  regulation  compli¬ 
ance,  for  example)  may  not  be  important  to 
coffee  purveyor  Starbucks  (armed  robbery  sta¬ 
tistics,  for  example).  “Metrics  resist  unifor¬ 
mity,”  says  Dennis  Treece,  director  of  security 
for  the  Massachusetts  Port  Authority.  “What 
works  here  may  or  may  not  work  elsewhere.” 


Whether  D’Addario,  vice  president  of  part¬ 
ner  and  asset  protection  at  the  $5.3  billion 
coffee  and  food  retailer,  is  talking  about  phys¬ 
ical  assets  (stores  and  equipment),  liquid 
assets  (cash  and  coffee)  or  human  assets 
(employees  and  customers),  using  metrics  is 
how  he  judges  the  success  of  his  security 
group. 

First  and  foremost  on  the  priority  list, 
D’Addario  says,  is  the  safety  of  people.  The 
frequency  of  armed  robberies  at  retail  outlets, 
for  example,  is  an  important  metric  at  Star- 
bucks  and  within  the  retail  industry.  He  says 
that  since  1996,  when  there  were  46  incidents 
per  thousand  Starbucks  stores,  there  has  been 


bucks’  quality  assurance  team.  For  example, 
tracking  how  well  the  company  maintains  the 
integrity  of  its  food  containers  remains  a  crit¬ 
ical  interest  for  both  his  security  group  and 
quality  assurance.  Container  integrity  is  the 
reasonable  assurance  that  the  contents 
shipped— via  overseas  and  truck  routes— are 
those  that  were  ordered.  The  company  per¬ 
forms  auditable  inspections  on  these 
processes,  including  checking  the  integrity  of 
container  seals,  he  says. 

Because  Starbucks  is  global,  method¬ 
ologies  for  tracking  these  processes  vary  by 
region,  depending  on  the  infrastructure  and 
technology  available.  But  the  measures  are 


Since  1996,  when  there  were  46  armed 
robberies  per thousand  Starbucks  stores,  there 
has  been  a  steady  deereaseXo  a  best-in-class 
11  per  thousand  in 2004. 


Moreover,  CSOs  say  that  metrics  don’t 
always  have  to  be  straight-up  numbers. 
Impromptu  conversations  with  key  executives 
can  sometimes  have  just  as  much  punch  as  a 
glitzy,  chart-and-pie-graph  show  in  the  board- 
room.  “Clearly,  statistics  on  their  own  don’t 
make  a  very  good  read,”  says  John  Hedley, 
head  of  group  security  for  food  maker  Nestle. 
“You  have  to  interpret  them  and  put  them 
into  context.” 

Here  is  the  story  of  four  security  executives 
in  different  industries  who  give  a  rare  peek 
into  the  physical  security  metrics  that  are 
important  to  them,  their  CEOs  and  their 
organizations.  Taken  together,  these  data 
points  and  measurements  help  them  keep  a 
firm  grip  on  the  most  important  metric  of  all: 
How  much  confidence  the  rest  of  the  organi¬ 
zation  has  in  the  security  department. 

Starbucks  Tracks  Everything 
That  Moves 

To  Francis  D’Addario,  the  connection  between 
security  metrics  and  how  effective  he  is  as 
CSO  of  Starbucks  is  simple:  His  mission  to 
protect  people,  secure  assets  and  contribute 
savings  year  over  year  is  validated  with  key 
performance  indicators. 


a  steady  decrease  to  a  best-in-class  11  per 
thousand  in  2004.  D’Addario  says  Starbucks’ 
numbers  compare  favorably  to  historic  trends 
at  similar  outlets,  such  as  quick-service  res¬ 
taurants  (which  have  averaged  45  armed 
robberies  per  thousand)  and  convenience 
stores  (125  per  thousand).  He  uses  metrics 
from  uniform  crime  reports  and  industry 
associations. 

D’Addario  says  the  decline  in  robberies  at 
Starbucks  has  resulted  from  implementing 
better  awareness  campaigns  to  help  employees 
anticipate  problems.  Technologies,  including 
smart  safes  and  an  interactive  system  that  con¬ 
firms  security  events,  also  have  played  a  role. 

Other  metrics  D’Addario  relies  on  include 
tracking  the  frequency  and  outcomes  of  back¬ 
ground  identity  checks,  employee  access  con¬ 
trol  compliance  (which  is  measured  by  spot 
audits  and  credentials  checks),  and  cash  or 
asset  protocol  performance  (including  sales, 
deposit  preparation  and  banking).  D’Addario 
says  those  are  continuously  audited,  and 
exceptions  are  investigated  routinely.  “Cash 
loss  is  monitored  as  a  percent  to  sales  on  every 
business  unit’s  P&L,”  he  adds. 

D’Addario  says  that  some  measures  he 
takes  for  security  are  also  valuable  to  Star- 


an  essential  component  of  quality  assurance, 
D’Addario  says. 

Key  performance  indicators  are  tracked  by 
period,  quarter,  year-over-year  and  five  years 
running,  he  adds.  “That  enables  cost  and  ben¬ 
efit  impact  assessments,  risk-gap  closure 
analysis  as  well  as  return  on  funds  spent,”  he 
says. 

The  trend  analysis  that  D’Addario  docu¬ 
ments  allows  him  to  test  new  security  tech¬ 
nologies  and  protocols  against  the  trends  to 
decipher  if  they  are  contributing  to  sales  or  net 
profitability. 

Working  in  the  retail  industry,  D’Addario 
also  benchmarks  his  cash  loss  as  a  percentage 
of  sales  as  well  as  inventory  shrinkage  num¬ 
bers  with  reputable  industry  group  figures. 
Those  kinds  of  numbers  (which  he  declined  to 
share  for  publication)  allow  D’Addario  to  pres¬ 
ent  security  performance  indicators  to  his 
bosses. 

“Thoughtful  prevention  design  with  fore¬ 
castable  results  for  performance  improvement 
are  viewed  as  investment  opportunities,”  he 
says.  As  an  example,  he  says  that  a  number  of 
international  markets  adopted  exception- 
based  reporting  after  witnessing  its  perform¬ 
ance  for  top-line  and  bottom-line  contributions 


36  www.csoonline.com  February  2005 


in  the  United  States.  D’Addario  reports 
that  the  protocol  has  since  delivered 
the  same  performance  in  the  interna¬ 
tional  markets. 

The  key  to  all  of  that,  D’Addario 
says,  is  that  those  forecastable  results 
“are  baked  into  the  operational  budget 
process  with  return  expectations.” 

While  that  puts  your  security  depart¬ 
ment  on  the  hook  for  demonstrable 
results,  it  also  can  make  the  CSO  look 
brilliant  in  the  boardroom  when  he 
delivers. 

Nestle  Metrics 
Emphasize  Prevention 
ana  Protection 

When  there  is  civil  war  where  your 
people  are  working,  one  physical  secu¬ 
rity  metric  rises  above  all  others:  Keep¬ 
ing  all  of  your  employees  alive. 

For  John  Hedley,  head  of  group 
security  for  Nestle  in  Vevy,  Switzer¬ 
land,  this  scenario  played  out  in 
November  2004  at  Nestle’s  operations 
on  the  Ivory  Coast.  The  West  African 
nation  has  experienced  constant  tur¬ 
moil  between  the  government  and 
rebel  forces  for  the  past  three  years. 
Hedley’s  security  staff,  led  by  a  regional 
security  manager  based  in  Abidjan,  the 
commercial  capital,  set  in  motion  an 
evacuation  plan  for  the  international 
Nestle  employees  when  it  was  clear 
that  the  violence  was  escalating  to  a 
dangerous  level.  The  Ivory  Coast  pro¬ 
duces  40  percent  of  the  world’s  cocoa, 
and  Nestle  is  one  of  the  biggest  pur¬ 
chasers.  The  evacuation  of  Nestle’s 
expatriate  staff  was  accomplished  “with  a  min¬ 
imum  of  hardship,”  Hedley  says.  “While  such 
an  unplanned  departure  is  distressing  for  all, 
at  least  we  were  able  to  set  in  motion  some 
pre-evacuation  plans.”  Hedley’s  group  had 
reviewed  those  plans  just  three  weeks  before 
the  evacuation  happened. 

For  a  global  company  such  as  Nestle,  with 
115  production  facilities  in  86  countries,  Hed¬ 
ley  says  operations  such  as  the  Ivory  Coast 
evacuation  are  a  necessary  and  expensive 
undertaking.  Metrics  enter  afterward,  in  judg¬ 
ing  how  well  the  operation  went,  what  went 
into  the  preparation  involved  and  the  results— 

PHOTO  BY  RETO  SCHLATTER 


Mt 


JOHN  HEDLEY 

NESTLE 

METRICS  INSIGHT: 

Preparing  to  handle  disasters 
can  avert  big  losses  in  life>  l 
capital  and  prestige.  I 


such  as  whether  there  were  injuries  or  deaths. 

“We  have  not  done  a  cost-benefit  analysis  of 
how  much  money  we  have  saved  because  of 
the  security  plan  in  place,”  Hedley  says,  adding 
he  was  not  sure  of  the  evacuation’s  cost.  “We 
had  more  important  things  on  our  mind,”  he 
says.  “Having  a  plan  in  place  and  revisiting  it 
once  a  quarter  or  year  may  be  the  most  impor¬ 
tant  metric  of  all. 

“However,  the  costs  can  be  reduced  by 
effective  contingency  planning— the  emo¬ 
tional  cost  for  the  staff  concerned  as  well  as 
the  financial  cost,”  he  adds.  “Getting  every¬ 
one  out  safe  and  sound  means  that  there  are 


no  staff  replacement  issues.  Keeping  the  fac¬ 
tories  and  other  buildings  properly  protected 
ensures  continuity  or  early  restart  of  produc¬ 
tion.  These  benefits  could  be  measured  if 
required.” 

Hedley  says  he  can’t  apply  blanket  security 
and  preparedness  metrics  around  the  world. 
“The  ability  to  equate  performance  in  one 
country,  in  one  region,  with  another  is  diffi¬ 
cult,”  he  says.  “For  example,  our  security  offi¬ 
cers  in  New  Guinea  are  armed  (but  with  bows 
and  arrows),  whereas  in  most  places  they  are 
unarmed.” 

Even  with  those  impediments,  Hedley  does 
February  2005  www.csoonline.com  37 


Metrics 


plan  for  the  unforeseen.  “Having  the  ability  to 
reduce  the  number  of  events  that  are  unfore¬ 
seen  is  a  very  valuable  metric,”  he  says.  When 
he  is  able  to  do  this,  it  grabs  the  attention  of 
senior  management.  “If  you  can  tell  a  story 
that  says,  We  were  able  to  preempt  a  problem 
that  was  going  to  affect  us,  and,  Oh  by  the 
way,  had  we  not  done  this,  this  would  have 
been  the  cost— that  is  a  very  good  story  to 
tell.” 

CSOs  can  estimate  the  damage  that  was 
not  predicted  or  planned  for  by  comparing  to 
previous  events  or  ones  that  hit  other  compa¬ 
nies,  Hedley  says.  You  can  say,  If  we  hadn’t 
taken  the  action  we  did,  then  the  probability 
effect  would  have  been  X.  “The  downside, 
however,  is  that  you  can’t  say,  This  is  the 
money  we  would  have  saved,  and  go  put  it 
back  in  the  bank  account,”  he  says. 

Utility  Uses  Government 
Rules  to  Build  Metrics 

Margaret  Levine,  corporate  security  manager 
at  Georgia  Power,  has  found  ways  to  convert 
the  necessary  burden  of  regulation  into  a 
bounty  of  physical  security  data  for  the  electric 
utility. 

Levine  must  demonstrate  that  Georgia 
Power,  the  largest  subsidiary  of  Southern,  the 
$11.3  billion  regional  utility  based  in  Atlanta, 
complies  with  federal  regulations.  Her  security 
group  does  that  by  completing  security  audits 
to  make  sure  that  the  protected  areas  at  plants 
and  substations  are  indeed  protected. 

“We  have  reports  documenting  that  the 
people  who  have  access  to  those  areas  have 
legitimate  reasons  to  be  there,”  Levine  says. 

Tracking  results  of  these  and  other  reports 
yields  a  measure  that  allows  Georgia  Power  to 
compare  its  performance  to  itself  in  past  years. 
It’s  a  conscious  management  decision  to  turn 
the  “play  by  the  rules”  portion  of  the  operation 
into  a  performance  measure. 

“You  need  to  find  a  meaningful  purpose 
other  than  just  pushing  paper,”  she  says.  Secu¬ 
rity  executives,  she  adds,  can  “take  the  next 
step  and  think,  How  can  I  use  this  report  and 
statistics  in  a  way  to  improve  my  security  pro¬ 
gram  or  to  better  educate  me  about  my  cus¬ 
tomers’  business?” 

A  second  metric  for  Levine  comes  from  a 
combination  of  readiness  reviews  and  pene¬ 
tration  testing. 


employ  physical  security  measurements  wher¬ 
ever  he  can.  The  areas  most  important  to  him 
are  Nestle  employees,  distributors  and  con¬ 
sumers;  company  property;  and  the  strength 
of  Nestles  reputation  and  brand. 

Hedley  says  he  focuses  much  of  his  atten¬ 
tion  on  Nestles  brand  and  reputation  among 
consumers.  “We  have  a  broad  brand  protec¬ 
tion  strategy,  in  which  we  work  in  close  col¬ 
laboration  with  the  intellectual  property 


shrinkage,”  he  says.  But  in  the  order  of  prior¬ 
ities  for  his  group,  he  looks  to  condensed  milk 
as  an  example.  “Stolen  boxes  of  condensed 
milk  can  be  replaced,”  he  says.  “But  if  someone 
keeps  them  past  the  ‘sell  by’  date,  and  then 
someone  consumes  it  and  gets  an  upset 
stomach,  it’s  not  so  much  the  actual  value  of 
condensed  milk  but  the  effect  that  the  inap¬ 
propriate  distribution  and  handling  of  such 
products  can  cause  to  people.”  And  con- 


department,”  he  says.  “There’s  a  very  strong 
argument  that  brand  and  reputation  are 
worth  more  than  physical  assets.”  Hedley 
points  to  the  difference  in  measuring  hard 
physical  assets  versus  intellectual  property 
and  brand  assets.  “You  can  measure  the  num¬ 
ber  of  burglaries  you  suffer  and  the  amount  of 


sumers’  upset  stomachs  tend  to  give  him  an 
uncomfortable  feeling  as  well. 

The  bottom  line  is  also  important  to  Hed¬ 
ley  and  his  bosses.  “We  [in  security]  are 
judged  by  our  overall  contribution  to  the  prof¬ 
itability  to  the  group,”  he  says.  As  an  example, 
Hedley  tells  of  how  he  grapples  with  trying  to 


mm 


"  .  \ 

■ 

• 

i  •  i  •  ’. 

.  •  •  .  . 

r  .;••  V  ;.'••••,  40*  •_ 

'  -  ■ 

■W  ■ 

/  ■  '' 

'* 

.  .  .’ 

'  ■  •  •  •  .  T.  /• 

■  •  V. 

1  .  .  / .  *  ■  ' 

GEORGIA  POWER 

' 

METRICS  INSIGHT: 

Scorekeeping  on  government 

>ir 

.  \ 

j  ’t  ' 

regulations  compliance  yields 

\ 

:  •  Tty  . 

valuable  performance 

measures. 

• 

38  www.csoonline.com  February  2005 


PHOTO  BY  SONNY  WILLIAMS 


Five  Metrics  That  Matter 

George  Campbell,  former  CSO  of  Fidelity  Investments  and 
now  a  security  consultant,  says  there  are  hundreds  of  security 
metrics  available  for  CSOs,  who  need  to  identify  those  rele¬ 
vant  to  their  organization.  Here  are  five  important  ones. 


IRisk  analyses.  The 

risk  analysis  process, 
a  constant  activity  for 
security  executives,  incor¬ 
porates  several  metrics: 
assets,  loss  events,  vulnera¬ 
bility  assessments  (how 
easy  would  it  be  to  do  X, 

Y  or  Z?),  likelihood  of  an 
event,  probabilities,  and 
options  to  mitigate  vulner¬ 
abilities  and  their  cost  and 
benefits. 

Value  indicators. 

Cost-benefit  analyses 
yield  relevant  met¬ 
rics.  “If  you’ve  got  an  inves¬ 
tigation  function  that  costs 
X  amount  of  dollars,  and 
it  recovers  twice  that  in 
losses,  that’s  a  positive 
return  on  investment,”  he 
says.  But  the  value  indica¬ 
tors  will  be  unique  to  each 
business  segment  within  a 
corporation. 

In  the  financial  world, 
much  is  based  on  reputa¬ 
tion.  In  businesses  where 
there’s  a  lot  of  intellectual 
property,  the  value  will  be 
based  on  stopping  some¬ 
one  from  counterfeiting  or 
stealing  any  proprietary 
processes. 


3  Process  perform¬ 
ance.  Response 
times  and  recovery 
procedures  produce 
metrics.  How  long  does  it 
take  to  recover  a  critical 
business  process  lost  to  a 
natural  disaster  or  cyberat¬ 
tack?  What  is  the  average 
time  for  a  security  officer 
to  respond  to  a  critical 
alarm  or  injured  person? 
What  is  the  time  needed  and 
cost  of  a  background  or 
business  conduct  investiga¬ 
tion?  "Every  CSO  develops 
annual  objectives  that  must 
be  measurable  if  they  are 
to  devote  resources  to  their 
accomplishment— and  be 
willing  to  be  held  to  them,” 
Campbell  says. 

4  Integrity  scorecard. 

Campbell  says  this 
is  where  the  CSO 
tracks  what  keeps  business 
executives  awake  at  night. 
These  include  risk  aware¬ 
ness;  security  breaches 
resulting  in  losses;  hiring 
people  with  bad  back¬ 
grounds;  higher  than  normal 
accident  rates;  and  failure 
to  address  known  vulnera¬ 
bilities.  "You  maintain  a 


scorecard  on  what  makes 
that  business  unit  tick  from 
an  integrity  standpoint,” 
Campbell  notes.  “You 
understand  where  to  allo¬ 
cate  your  resources,  and 
you  can  show  the  CEO 
where  the  problems  could 
be  in  the  business.” 

5  Confidence  meas¬ 
ures.  These  allow  the 
CSO  to  see  how  well 
the  security  function  is 
delivering  services.  Through 
internal  customer  satisfac¬ 
tion  surveys  and  postmor¬ 
tems  on  investigations, 

CSOs  can  measure  the 
confidence  the  business  has 
in  the  security  department. 
"You  can  look  at  how  well 
you  did  and  what  the  prob¬ 
lems  are,”  Campbell  says. 

Campbell  adds  that 
communicating  the  goal  of 
metrics  is  a  key  activity. 

“If  you’re  going  to  track  met¬ 
rics  on  integrity  or  by  a 
scorecard,  you’d  better  pre¬ 
sell  the  process  at  various 
levels  and  be  very  careful  to 
ensure  accuracy  of  informa¬ 
tion  and  who  you  share  it 
with,”  he  says. 

The  message,  Campbell 
says,  has  to  be  that  “CSOs 
are  paid  to  report  on  risk  as 
we  know  it  and  will  work 
with  other  executives  on 
resolving  deficiencies.” 

-T.W. 


Readiness  reviews  are  planned  events  and 
are  a  key  component  of  Georgia  Power’s  busi¬ 
ness  continuity  program.  The  reviews  assess 
whether  employees  and  site  security  profes¬ 
sionals  at  a  particular  facility  understand  that 
facility’s  threat  plans  and  know  what  to  do 
when  the  threat  level  is  raised  or  lowered. 
Readiness  reviews  also  include  interviews  with 
local  managers  about  facility  security;  an  audit 
of  procedures  and  documentation  related  to 
security  requirements;  an  evaluation  of  the 
facility’s  physical  security  program;  and  a 
review  of  its  emergency  action  plan. 

At  the  end  of  each  review,  Levine  says,  her 
office  writes  a  report  for  the  facility  manager 
that  highlights  findings,  best  practices  and 
recommendations. 

For  readiness  reviews,  Levine  sends  a  team 
of  security  professionals  unannounced  to  do 
security  audits  of  all  critical  facilities  and  oper¬ 
ations  (though  she  declines  to  list  what  types 
of  facilities  those  are). 

In  addition,  penetration  testing  attempts  to 
breach  security— procedurally,  technologically 
or  physically— to  determine  whether  the  secu¬ 
rity  program  is  functioning  as  it  should,  she 
says.  “We  may  have  someone  try  to  walk 
through  a  facility  without  wearing  a  badge  to 
see  how  far  they  can  get  before  being  chal¬ 
lenged,”  Levine  says.  “Or  we  may  have  some¬ 
one  see  if  they  can  talk  their  way  around  our 
delivery  processing  requirements.” 

Results  Reports 

Results  are  reported  in  two  ways.  First  is  what 
Levine  calls  the  “objective,  scenario,  outcome”: 
Here’s  what  Georgia  Power  was  testing  (for 
example,  the  effectiveness  of  visitor  manage¬ 
ment  personnel);  here’s  how  security  tested  it 
(use  of  outdated  or  fake  identification  cre¬ 
dentials);  and  here’s  what  happened.  “The 
results  are  reported  by  comparing  the  test  out¬ 
come  with  the  test  objective,  in  addition  to 
including  a  description  of  how  the  test  was 
carried  out,”  Levine  says. 

Second  are  the  lists  for  “did  well”  and  “areas 
for  improvement”:  These  are  reported  along 
behaviorally  based  criteria  (for  example,  clar¬ 
ity  of  communications  with  “outsider”  or 
whether  incident  notification  procedures  were 
followed)  as  well  as  results-based  criteria 
(penetration  foiled  or  speed  in  which  pene¬ 
tration  was  detected). 


After  collecting  results,  Levine’s  group 
tracks  the  physical  and  technical  security 
measures  at  each  location  to  ensure  that  they 
are  functioning  properly.  Physical  security 
measures  include  perimeter  barriers,  light¬ 
ing,  locking  devices  and  key  controls,  and  sign¬ 
age.  Technical  security  measures  include 
intrusion  alarms,  closed  circuit  television  and 


other  monitoring  devices,  access  control  and 
visitor  management  systems. 

“We  would  want  to  make  sure  that  the 
security  folks  onsite  knew  what  to  do  in  the 
event  of  raising  the  threat  level  or  a  breach  of 
security,”  Levine  says,  “and  also  have  a  good 
awareness  of  security  protocol  and  who  they 
could  go  to  if  a  breach  did  occur.” 


February  2005  www.csoonline.com  39 


Metrics 


Airport  Keeps  Records 
to  Build  Credibility 


Dennis  Treece’s  boss,  the 
CEO  of  Massport,  has  said 
that  Treece  must  derive 
“effective  security  metrics,” 
ASAP. 

Treece,  director  of  secu¬ 
rity  at  Massport,  the  agency 
that  runs  Boston’s  Logan 
Airport  and  several  other 
transportation  facilities, 
says  that  CSOs  work  very 
hard  to  show  that  nothing 
has  happened,  nothing  has 
gone  wrong.  “CSOs  need  to 
know  how  to  report  nothing 
in  context  that  makes 
sense,”  he  adds. 

The  three  physical  secu¬ 
rity  metrics  that  matter 
most  to  Treece  are  uptime, 
performance  and  viola¬ 
tions— all  of  which  he  tracks 
quarterly.  With  uptime  (or 
availability)  measures,  he  is 
looking  for  shortcomings  in 
staffing  levels  and  equip¬ 
ment  availability  compared 


with  what’s  required  for  an 
effective  security  program. 
Treece's  performance  met¬ 
ric  is  simple:  If  the  required 
performance  standard  is  X, 
then  is  that  being  achieved? 
For  example,  if  the  bag- 
gage-screening  equipment 
is  supposed  to  process  500 
pieces  of  luggage  per  hour, 
he  must  track  whether  his 
operation  meets  that  target, 
and  if  not,  why  not. 

Tracking  violations  of 
security  policies  is  usually 
measured  by  failures  to 
comply  with  government 
regulations.  Treece  says 
employees  who  break  the 
rules  need  to  be  disciplined, 
motivated,  trained— some¬ 
times  a  combination  of  the 
three.  Keeping  track  of 
trends  in  such  violations 
helps  a  CSO  keep  track  of 
the  nature  and  extent  of  a 
problem. 


Massport  is  subject  to 
inspections  by  the  Depart¬ 
ment  of  Homeland  Security 
and  the  Transportation 
Security  Administration, 
Treece  says.  If  the  inspec¬ 
tors  cite  the  agency  for 
failure  to  conform  to  regula¬ 
tions,  “that  is  something 
you  will  want  to  know,  track 
and  work  on  so  it  doesn’t 
happen  again,”  he  adds. 

Treece  says  the  tracking 
takes  time,  but  it  helps  jus¬ 
tify  security  operations.  Not 
doing  so  means  depending 
on  others  to  make  decisions 
about  his  operation.  At  the 
end  of  the  day,  though, 
Treece  longs  for  one  metric 
that  remains  elusive.  "At 
any  given  point  of  the  year, 
are  we  better  off  because  of 
anything  that  we  did?”  he 
asks.  “That  would  be  nice  to 
have.” 

-T.W. 


Tracking  Trends 

Incident  trends  and  loss  trends  are  next  on 
Georgia  Power’s  metrics  list.  Levine  says  that 
it’s  critical  to  be  able  to  demonstrate  that  a 
CSO’s  security  program  is  a  significant  miti¬ 
gating  factor  in  preventing  increased 
incidents  and  losses.  Levine  can  compare 
incidents  by  quarter,  year-to-year  and  across 
multiple  years.  She  can  note  the  changes  in 
the  number  and  frequency  of  incidents  by 
type  of  incident  (for  example,  thefts,  threats 
against  employees  or  sabotage),  by  line  of 
business  (generation,  transmission,  distribu¬ 
tion,  staff  services)  or  by  location.  She  follows 
the  same  process  for  tracking  losses;  she  says 
she  tracks  property  and  monetary  losses.  The 
key,  she  says,  is  if  you’re  not  able  to  prevent 
losses,  then  “you  can  demonstrate  an  ability  to 


quickly  pinpoint  where  the  weakness  was 
and  put  in  place  the  appropriate  stopgap 
measures.” 

Levine  adds  that  metrics  must  be  more 
than  in-house  security  tools;  they  have  to  be 
relevant  to  the  people  she  supports— business 
executives,  plant  operators,  substation  engi¬ 
neers,  customer  service  managers.  She  says 
her  reports  must  contain  information  that  is 
important  to  them,  not  just  to  security  man¬ 
agers.  Doing  this,  Levine  says,  “also  enables  us 
to  educate  them  about  things  that  are  impor¬ 
tant  from  our  perspective,  and  in  that  give- 
and-take  process  we’re  able  to  validate  the 
measures  that  we’re  using.”  Depending  on  the 
type  of  data  and  compliance  requirements, 
Levine  reports  her  metrics  monthly,  quarterly 
or  yearly. 


Levine  considers  two  other  factors  when 
collecting  data  for  metrics.  The  first  is  how 
Georgia  Power  compares  to  other  utilities. 
And  the  second  is  data  quality. 

Levine  says  Georgia  Power  collaborates  on 
metrics  reviews  with  other  security  managers 
from  within  Southern’s  12  operating  compa¬ 
nies.  (Besides  Georgia  Power,  there  are  four 
electric  utilities  and  companies  in  wholesale 
power,  power  generation  management,  natu¬ 
ral  gas,  nuclear  power  and  energy  services. 
Southern  also  owns  a  wireless  company  and  a 
fiber  optics  business.) 

As  for  data  quality,  Levine  says  that  it’s 
important  to  watch  out  for  the  equivalent  of 
scorekeeping  changes.  She  says  Georgia  Power 
recently  transitioned  from  a  10-year-old  case 
management  system  to  a  new  system  devel¬ 
oped  last  year  by  Southern’s  security  man¬ 
agers.  The  case  management  system  is  a 
database  that  records  all  the  details  of  inci¬ 
dents  that  are  reported  to  corporate  security. 
This  includes  an  incident  narrative  and  sum¬ 
mary;  victim,  witness  and  reporting  party 
names;  losses;  investigative  activity;  and  case 
resolution. 

Building  the  new  system  required  a  review 
of  incident  definitions  so  that  a  year-to-year 
comparison  made  sense,  she  says.  For  example, 
the  old  case  management  system  had  separate 
incident  categories  for  burglary,  larceny,  fraud 
and  robbery.  But  in  the  new  case  management 
system,  all  of  those  crimes  are  categorized  as 
financial  matters.  “To  make  an  apples-to- 
apples  comparison  between  the  old  and  the 
new,  we  have  to  select  a  specific  subcategoiy 
(for  example,  larceny)  in  the  new  system,” 
Levine  says.  “Otherwise,  the  analysis— larceny 
versus  financial  matters— would  show  that 
we’d  had  a  crime  wave  at  Georgia  Power.”  And 
that’s  the  last  thing  that  Levine  and  her  exec¬ 
utives  want  to  hear.  ■ 

Thomas  Wailgum  is  a  staff  writer  for  CIO  (a  CSO  sister 
publication).  E-mail  comments  to  Managing  Editor  Michael 
Goldberg  ( mgoldberg@cxo.com ). 


The  Metrics  Quest 

Under  pressure  from  the  CFO  to  quantify  security 
benefits,  a  CSO  finds  measures  that  matter.  Read 
“The  Metrics  Quest"  from  the  November  2004  issue. 

Go  to  www.csoonline.com/printlinks. 


40  www.csoonline.com  February  2005 


USE 


ffMm P 


PI',  ‘j:A 


To  gain  access  to  the  financial  world, 
you  have  to  go  through  Software  House 


OCURE  800  Security  Management  System 


Our  fully  scaleable  security  management  systems  are  used  in  some  of  the  world's 
leading  financial  institutions.  Software  House  solutions  give  you  real-time  control 
over  your  entire  enterprise  access  system  and  integrate  with  a  wide  variety  of  other 
security  and  corporate  systems.  Take  control  with  the  leader  in  security  management 
systems  —  Software  House. 

•  OCURE®  800/8000  security  management  solution 

•  iSTAR  ™  intelligent  controllers  with  DHCP  support 

•  Solid  integration  platform  for  streamlined  control  of  access,  digital  video,  ERP  HR 
systems,  asset  management  and  more 


www.swhouse.com 


M4RQU* 
MO.U  CHOIRS 


>"i*  rIiIlllSUl 


head  ol  corporate 
security  for  Roche 
Diagnostics,  says  his 
security  group  works 
closely  with  sates, 
marketing  and  manu¬ 
facturing  representa¬ 
tives  to  fight  product 
diversion. 


roduct  diversion 

costs  companies 
worldwide  billions  of  dollars  a  year  in 
lost  revenue.  It’s  insidious,  wide¬ 
spread  and,  to  the  consternation 
of  executives  who  watch  prod¬ 
ucts  and  profits  dribble  out  of 
their  supply  chains  like  milk 


from  a  baby’s  lips,  often  legal. 

To  discover  how  diversion  works  and  how  they  deal 
with  it  in  their  respective  companies,  Senior  Editor 
Todd  Datz  talked  with  two  experts  on  the  topic,  Randy 
Arnt  and  Max  Brenton.  Arnt  serves  as  executive  director 
of  global  security  for  retail  giant  Kimberly-Clark,  maker 
of  well-known  brands  such  as  Huggies  and  Kleenex.  His 
responsibilities  include  supply  chain  security,  brand  and 
asset  protection,  litigation  support  and  all  other  security- 
related  activities  worldwide.  Previous  stops  include 
Whirlpool,  Greyhound  and  Standard  Oil.  Brenton  is 
head  of  corporate  security  and  a  17-year  veteran  of  med¬ 
ical  products  maker  Roche  Diagnostics.  Brenton  also  has 
20  years  of  law  enforcement  experience  on  his  resume. 


CSO:  You’ve  both  noted  that  product  diversion  is  a 
growing  problem.  Why  is  that? 


Randy  Arnt:  Partly  it’s  due  to  globalization.  We  see  a 
lot  of  antiquated  regulatory  enforcement  systems  in  vari¬ 
ous  parts  of  the  world.  And  certainly  the  Internet  plays  a 
major  part.  If  you  go  on  eBay,  for  example,  or  a  number 
of  similar  sites,  you  can  see  a  lot  that’s  counterfeit  or 
diverted  product. 

Max  Brenton:  It’s  often  a  civil  contractual  problem  in 
the  United  States,  selling  outside  of  the  class  of  trade 

February  2005  www.csoonline.com  43 


Product  diversion  costs 
manufacturers  millions — 
but  often  isn’t  technically 
illegal.  CSOs  say  combating 
diversion  involves  equal 
parts  investigation  and 
corporate  politicking. 


Product  Diversion 


[for  which  products  are  intended].  For 
instance,  if  you  sell  to  a  certain  mail-order 
distributor,  a  contractual  clause  states  they 
can’t  sell  the  product  over-the-counter.  But 
sometimes  that  mail-order  product  will  end 
up  online  somewhere.  Or  it  will  end  up 
being  sold  on  the  shelves  of  local  drugstores 
based  on  the  fact  that  the  chemistry  of  the 
product  is  the  same. 

CSO:  In  cases  where  it’s  a  contractual  prob¬ 
lem,  and  not  actually  illegal,  is  this  some¬ 
thing  that  the  board  of  directors  keeps  an  eye 
071?  The  politics  of  dealing  with  your  big 
business  partners  sounds  potentially  tricky. 

Arnt:  You  have  to  get  management’s  buy- 
in  for  that  before  you  do  anything  else. 
Because  if  you  don’t,  and  if  they  give  mixed 
messages  or  if  sometimes  they  enforce  it  and 
sometimes  they  don’t,  it  really  becomes  a 
mess.  So  it’s  been  to  the  top  levels  of  our 
company.  Because  if  you  don’t  have  that, 
you’re  wasting  your  time. 

Brenton:  I’m  fortunate  to  the  extent  that 
I’ve  got  the  ear  of  senior  management  in 
sales  and  marketing  and  the  legal  division. 

I  report  to  the  legal  division  and  all  the  way 
up  to  our  CEO.  And  we  have  a  partnership, 
a  team  created  with  the  sales,  marketing 
and  manufacturing  groups  to  look  specifi¬ 
cally  at  diversion,  theft  and  counterfeiting. 

CSO:  Give  me  typical  diversion  tactics  you 
face,  and  the  controls  you  use  to  combat  them. 

Arnt:  Internationally,  what  we  would  nor¬ 
mally  see  would  be  a  distributor  buying  huge 
quantities— much  bigger  than  their  markets 
could  absorb— and  that  product  is  being 
turned  around  and  sent  back  here  and  resold. 

Brenton:  Diverters  create  shell  corpora¬ 
tions  [to  disguise  diversion],  which  can 
change  in  no  time  flat.  What  you  have  to  do 
is  pursue  the  owners  and/or  the  boards  of 
directors  to  see  if  the  same  people  are 
involved  in  that  particular  shell  corporation. 

Arnt:  We  do  a  pretty  good  job  of  monitor¬ 
ing  new  distributors  closely.  We  do  a  due 
diligence  on  [new  distribution  partners]  to 


HOW  DIVERSION  WORKS  The  opportunity  for 
diverted  goods  largely  springs  from  “tiered  pricing,"  in  which 
one  product  may  be  sold  at  different  price  levels  in  different 
markets  or  circumstances.  Accelerated  globalization  of  business 
has  created  more  opportunities  today,  as  in  this  example: 


DIVERSION  AT  HOME  Diversion  happens  domestically  as  well.  For  example,  a  West  Coast 
distributor  or  retail  chain  might  over-purchase  on  widgets  to  get  a  better  volume  discount, 
then  resell  the  extra  inventory  to  another  chain  on  the  East  Coast.  In  that  case,  Acme’s  East 
Coast  sales  team  might  start  missing  its  quotas  because  its  sales  territory,  mysteriously,  is 
already  saturated  with  Acme  widgets. 


1  U.S.-based  Acme  Widget 
wants  to  break  into  a 
particular  Eastern  Euro¬ 
pean  country,  forecasting 
potential  annual  sales  of 
100,000  widgets.  A  low 
price  point  is  mandated  by 
the  government  of  the  tar¬ 
get  country,  providing 
Acme  with  a  10%  margin. 


Acme  finds  a  European  distributor, 
ChannelCo,  that  offers  even  more 
optimistic  forecasts  and  purchases 
150,000  widgets. 


ChannelCo  surreptitiously  ships  the  extra  50,000  units  back  into  the 
United  States,  where  ChannelCo  can  undercut  Acme’s  usual  U.S. 
price  and  still  make  a  healthy  profit.  ChannelCo  marks  packages  and 
shipping  documents  “returned  goods,  manufactured  in  the  U.S.”— 
which  is  technically  true— to  help  evade  Customs. 


find  out  whether  there  may  have  been  prob¬ 
lems  in  the  past  with  other  consumer  prod¬ 
uct  companies.  Then  for  a  period  of  a  year 
we  look  at  their  sales,  and  make  sure  that 
we’re  satisfied  that  the  products  are  being 
used  for  the  [agreed-upon]  market.  We 
have  been  able  to  find  good  service 
providers  for  those  due  diligence  checks.  If 
we  uncover  issues,  of  course,  then  we  don’t 
do  business  with  those  distributors.  It  seems 
that  globally  there  are  due  diligence  or 
investigative  service  providers  out  there  that 
have  a  long  reach  and  do  a  pretty  good  job. 

CSO:  What  about  a  domestic  example— a 
customer  that’s  bought  huge  quantities  and 
then  resells.  Is  it  typically  large,  well-known 
chains?  Or  the  small  guy? 

Arnt:  Many  of  the  big  chains  purchase 
diverted  goods;  their  basic  premise  is  that 
they  have  a  responsibility  to  their  stakehold¬ 
ers  to  get  the  product  at  the  lowest  price  pos¬ 
sible.  In  fact,  it  doesn’t  happen  to  be  a 
customer  of  ours,  but  there  is  a  very,  very 


large  chain  that  recently  filed  suit  against 
one  of  the  hair  product  providers,  suing 
them  for  restraint  of  trade.  It  turns  out  that 
this  hair-care  company  was  only  selling  to 
salons.  And  their  products  would  wind  up  in 
this  chain  that  had  been  purchased  as 
diverted  product. 

So  the  hair-care  company  threatened  to 
sue  this  chain.  The  chain  turned  around  and 
sued  the  hair  product  company,  saying  that 
it  was  a  restraint  of  trade  that  they  were  not 
able  to  purchase  this  product  from  this  man¬ 
ufacturer.  Kind  of  an  interesting  approach, 
taking  the  offensive,  I  guess,  on  this.  But  a 
lot  of  big  chains  just  feel  that  that  is  the  way 
to  do  business— that  they’re  going  to  get  the 
best  price  they  can.  If  we  can  get  it  to  them, 
fine;  if  we  can’t,  they’ll  look  elsewhere. 

And  when  you’ve  got  a  huge  customer 
like  that,  you’ve  got  to  make  a  value  judg¬ 
ment:  “OK,  maybe  there  are  distribution 
clauses  in  there,  but  given  the  volume  that 
they’re  selling,  is  that  something  that  we’re 
going  to  enforce,  or  are  we  going  handle  it 
differently?” 


44  www.csoonline.com  February  2005 


PHOTOS  ON  PREVIOUS  PAGE:  LEFT  BY  DAN  BRYANT:  RIGHT  8Y  TOD  MARTENS 


BIOMETRICS 

AUTHENTICATION 


ADVERTISEMENT 


The  Eyes  Have  It 


Premiere  research  facility  relies  on  Panasonic 
iris  readers  for  superior  access  control 


When  you’re  running 
a  research  facility  full  of 
sophisticated  equipment 
and  sensitive  information, 
you  need  to  know  precisely 
who’s  entering  and  leaving 
the  building  at  all  times. 

Tracking  that  traffic  is  an  important 
part  of  Jack  Whaley’s  job  as  laboratory 
manager  for  the  Nanofabrication 
Facility  at  the  University  of  California  at 
Santa  Barbara  (UCSB).  After  an  exten¬ 
sive  review  and  evaluation  of  access- 
control  systems,  Whaley  selected 
Panasonic’s  BM-ET300  Iris  Readers 
based  on  their  ability  to  deliver  the  high¬ 
est  levels  of  personnel  authentication 
and  identification. 

“We  found  iris  recognition  to  be 
the  most  robust  and  accurate  biomet¬ 
ric  access-control  technology  avail¬ 
able  today,”  Whaley  says. 

The  UCSB  Nanofabrication  Facility 
serves  the  scientific  and  research  com¬ 
munities  by  offering  a  full  range  of 
processes  in  compound  semiconductor- 
based  device  fabrication.  Essentially,  the 
facility  engineers  new  or  improved 
materials  on  the  scale  of  individual 
atoms.  This  field  of  research,  known  as 
nanotechnology,  is  a  relatively  young 
discipline  with  numerous  applications 
across  a  broad  range  of  industries.  For 
example,  nanotechnologists  have  devel- 


sin^rt  card  Jt  «affl(,vr  r«ii*.tani  d  UL-294 

2  Jri Si  *?nrollmi*nt  Jt  tunet ri  c: .jrcf  Ut.-2£»-4.  idtsnit 

1  in  1.2  million  FAR  a  faca  camera  M  timet rt  c.urd  Jt  Ut-234  a  2  iriti  ttnt 
Identification  A  non-int/asive  M  3  trte  ertroJlment  d  tiimper  resistant 
non-invastvo  A  nmetrt  card  A  t&mpor  rtt&iatant  A  iJL-234  A 1 


1  in  1.2  million  FAR 


face  camera  a  amart  card  d  tamper  resistant  d  Ui_ 

r  iriti  enrollment  Jt  smart  curd  A  tamper  resistant  d  UL-294  Ml  idantifJca 
in  miJiir  *» 


ident;f  jcotic 
face  earner 
2  iris  enroll 
UL-294  A  nc 
smart  card 
2  iris  enrolli 
1  in  1.2  rmllioT 
identif  icolior 
rjoninraaiue 

1  in  1.2  rnillto 

2  iris  enrolln 
.  ...  . .2 
Identificatiot 
face  camera 
2  iris  erirollrr 
L11.-29.4.  M  nor 


smart  card 


2  iris  enrollm 
1  in  1.2  miilior 
identification 

rcon-lnvotwi/e 

1  in  1.2  miiiio 

2  iris  enroilmeni 

in  1.2  million  FA 


BM-ET300 


d  non- in  w 

d  identrfica 
AR  M  face  oi 
lon-im/aaive 
.  ■  d  identifica 

p  2  iris  enro Uj 
'esistant  M  UL 
dentificatiJ 
I  identificatio 

asiatnzrsa 


ii  i^  «uii  v«ii 

2  iris  enroll 
Invasive  M  ta 
M  identifica' 
FAR  Jt  facer  C. 
non-invasive 
id  identificai 
a  u  l. 
»nt  4  tan 
ic.eiion 
sisiont  4  to. 

n-j/l'V  id  ia  J  w  J 


Visit  our  web  site  at  www.panasonic.com/irisreaders  or  call  toll  free  1  -  866  -  PAN  -  CCTV 


All  the  best  in  Iris  Reader  technology. 

Panasonic’s  BM-ET300  Iris  Reader  is  simply  superlative.  It  delivers  the  most 
performance  features  available.  Like  a  multi-camera  system  for  dual-eye 
reading  and  integrated  video  surveillance.  A  self-prompting  guidance  system. 
And  Wiegand  compatibility  for  integration  into  any  access  control  system. 

Plus  all  the  benefits  iris  reader  biometrics  have  to  offer,  including  non-invasive 
operation  with  the  highest  levels  of  authentication  and  identification. 


Product  Diversion 


“If  you  don’t  have  management’s  buy-in, 
you’re  wasting  your  time.” 

-RANDY  ARNT,  EXECUTIVE!  DIRECTOR  OF  GLOBAL  SECURITY, 

KIMBERLY-CLARK 


Brenton:  One  of  our  major  distributors 
had  been  purchasing  secondary  product.  And 
remember,  they’re  a  business,  and  it’s  a  busi¬ 
ness  decision.  But  what  happened  was,  some¬ 
one  in  that  tertiary  or  secondary  market  had 
gotten  ahold  of  counterfeit  product.  The  coun¬ 
terfeit  product  then  became  mixed  in  with  the 
diverted  product,  and  they  had  no  way  of 
knowing  that.  And  so  we  went  back  to  three  of 
our  major  distributors  saying,  “We  know 
you’re  the  victim  the  same  as  we  are.  How¬ 
ever,  let’s  make  our  partnership  stronger.” 

We  were  able  to  go  back  and  say,  “OK, 
let’s  look  at  the  choices— buying  from  us  or 
buying  from  secondary  dealers.  It  creates  a 
lot  of  problems.”  Now,  has  that  stopped  all 
of  the  secondary  dealers?  No.  But  has  it 
solidified  our  relationship  with  our  major 
distributors?  Yes,  it  has. 

CSO:  So  you’ve  mentioned  due  diligence  on 
international  distributions  partners,  and 
contractual  efforts.  What  other  types  of 
antidiversion  controls  have  you  put  in  place? 

Brenton:  We  have  an  extensive  training 
program  where  we  go  out  and  explain  this 
issue  to  our  sales  folks  in  the  field.  Also,  I 
have  a  great  liaison  with  all  stages  of  law 
enforcement— the  FDA,  U.S.  Customs,  Immi¬ 
gration  and  Customs  Enforcement. 

We’re  now  finally  taking  great  steps  in 
reducing  the  numbers  of  products  that  go 
out,  and  doing  it  by  identification  on  the 
boxes  and  on  the  vials,  and  using  tracking 
devices.  It’s  still  a  business  decision,  but  the 
traceability  of  the  product  is  much  better 
now  than  it  was  five  years  ago.  We’ve  actu¬ 
ally  reduced  our  classes  of  trade  domesti¬ 
cally.  Your  brand  identification  is  very,  very 
important.  And  what  we’ve  done  is  we’ve 
reduced  the  numbers  of  products  that  go  out 
that  are,  in  essence,  the  same  product  but 
for  different  arenas. 

For  instance,  mail  order  for  hospitals  and 


caregiver  facilities— that  product  should  be 
sold  at  a  reduced  cost  simply  because  we’re 
dealing  with  people  who  need  that  product, 
and  sometimes  they  are,  in  essence, 
strapped  for  money.  And  we’ve  taken  that 
into  consideration.  So  [the  product]  is  not 
identified  for  over-the-counter  sale;  the 
product  looks  the  same,  but  it’s  in  different 
colored  boxes,  and  it  will  say  “Exclusively  for 
mail  order.  Not  for  sale  in  retail  outlet.”  If 
somebody  gets  that  across  the  counter,  then 
there’s  a  direct  line  that  they  can  call. 

We’ve  also  created  Accu-Chek  Customer 
Care  training  sessions  for  our  customer  rep¬ 
resentatives.  They’ve  done  a  wonderful  job 
of  filtering  calls,  and  then  letting  us  know 
when  there  could  be  a  secondary  product  or 
a  counterfeit  issue. 

We  make  sure  that  foreign  product  is  reg¬ 
istered  differently  with  the  FDA.  We  don’t 
want  that  product  back  in  the  United  States, 
so  it  has  a  different  box  and  a  different  look. 
And  it  says,  “For  export  only.” 

We’ve  tried  the  holograms  [on  packaging]. 
We’ve  tried  stickers.  But  those  can  be  dupli¬ 
cated  in  no  time  flat,  especially  in  the  Far 
East  but  also  right  here  in  the  United  States. 

We  liaison  with  the  Internet  based  on  a 
criminal  case  where  we  lost  about  $4  mil¬ 
lion  in  product.  It  was  a  former  employee 
who  sold  every  bit  of  it  across  the  Internet. 
What  happened  was,  this  person  went  out 
and  found  several  others  to  purchase  this 
product.  And  so  they  were  ordering  the  prod¬ 
uct  under  false  pretense,  shipping  it  across 
state  lines  and  making  a  tremendous  amount 
of  money  off  it.  Those  folks  are  now  under 
indictment.  One  has  already  been  convicted. 

So  we  do  pursue  it  from  our  old  vantage 
point  of  investigation.  But  it’s  critical  to 
interface  with  the  business  units  and  lend 
your  expertise  to  them.  For  instance,  a  sim¬ 
ple  change  in  the  number  of  dots  on  a  box, 
the  forensics  that  can  prove  that  it’s  not  your 
glue  that  seals  the  box,  lot  number  changes 


that  indicate  that  it  can  only  go  to  specific 
places— these  things  can  tell  us  exactly  where 
diverted  product  comes  from.  And  that’s 
borne  out  of  our  being  burned  several  times. 

Arnt:  We  do  everything  from  bathroom 
and  facial  tissue  to  health-care  products. 
We’re  now  a  health  and  hygiene  company  as 
opposed  to  just  strictly  a  consumer  products 
company.  And  obviously  with  the  health 
products,  we  have  put  more  controls  in 
place  there  because  of  the  concerns  about 
product  safety.  A  lot  of  our  controls  have  to 
do  with  packaging— institutional  packaging 
versus  hospital  packaging  versus  consumer 
packaging.  Also  labeling,  although  labeling 
is  an  interesting  issue  for  us.  Because  in 
order  to  reduce  costs  for  your  consumer 
product  packaging,  your  advertising  and  so 
forth,  you  will  see  more  of  the  same  labeling 
and  packaging  throughout  the  world.  If  it’s 
got  French,  English  and  Spanish  on  it,  that 
doesn’t  tell  you  much  in  terms  of  where  that 
product  came  from. 

The  packaging  does  mean  more.  And 
then  tracking  of  course.  A  lot  of  the  big  cus¬ 
tomers  that  we  have  (and  one  of  our  biggest 
is  Wal-Mart)  are  requiring  radio  frequency 
identification  tracking  as  part  of  the  way  we 
sell  to  them.  This  will  have  a  lot  of  side  ben¬ 
efits  as  this  technology  expands  because  it’s 
going  to  be  able  to  tell  you  a  lot  of  things 
about  where  this  product  was  in  the  supply 
chain,  and  where  it  should  be.  It  just  pro¬ 
vides  a  tremendous  amount  of  information 
that  should  help  us  in  the  long  run,  espe¬ 
cially  with  diverted  product. 

Brenton:  Right,  we  have  antitheft  devices 
on  the  inside  of  our  boxes.  And  the  biggest 
issue  is,  people  don’t  really  notice  this.  With 
a  counterfeit  product  or  a  foreign  product 
that  is  repackaged  in  U.S.  packaging,  they 
do  not  [carry  the  antitheft  devices].  So 
that’s  one  indicator  to  us  that  the  product 


46  www.csoonline.com  February  2005 


BIOMETRICS 

AUTHENTICATION 


ADVERTISEMENT 


“We  found  iris  recognition  to  be  the  most  robust  and  accurate 
biometric  access-control  technology  available  today.” 

Jack  Whaley,  laboratory  manager,  Nanofabrication  Facility  at  the  University  of  California  at  Santa  Barbara  (UCSB) 


oped  water-resistant  textiles,  tiny  lenses 
for  fiber  optic  switching  devices  and 
better  sporting  equipment,  such  as  golf 
balls  with  less  of  a  tendency  to  hook. 
They’ve  also  created  new  substances 
that  are  100  times  stronger  than  steel  at 
a  fraction  of  the  weight. 

Much  of  the  facility’s  research  is  pri¬ 
vately  funded  by  organizations  that 
have  invested  heavily  in  the  develop¬ 
ment  of  breakthrough  materials. 
Keeping  such  research  safe  from  inquis¬ 
itive  eyes — and  from  competitors — 
requires  especially  tight  security.  With 
about  200  visitors  using  the  facility  and 
its  internal  laboratories  each  month, 
Whaley  wanted  a  better  solution  than 
the  access-control  cards  the  facility  had 
used  for  15  years.  “Maintaining  the 
[access-control]  card  system  had 
become  an  ongoing  time-sink,”  he 
recalls.  In  addition,  he  says,  “the  level 
of  security  was  fairly  low;  people  can 
lose  their  cards  or  lend  them  to  others.” 

Whaley  began  exploring  biomet¬ 
ric  technologies,  which  measure  and 
analyze  individual  human  body  charac¬ 
teristics  to  provide  highly  precise  identi¬ 
fication  and  authentication.  Among  the 
options  he  rejected  were  fingerprint 
and  handprint  identification  systems 
because,  he  says,  “These  technologies 
were  not  accurate  enough.” 

However,  iris  recognition — which 
uses  a  non-invasive  eye  scan  to  identify 
people  based  on  the  highly  unique  pat¬ 
terns  in  their  irises — fit  the  bill  with 
nearly  100  percent  accuracy.  The  tech¬ 
nology  also  simplifies  the  authentica¬ 
tion  process  for  both  lab  staff  and  visi¬ 
tors:  It  requires  no  cards  or  tokens  that 


can  be  lost,  stolen  or  duplicated  and  no 
passwords  that  can  be  forgotten  or  cor¬ 
rupted.  Users  can  be  authenticated 


without  even  touching  the  technology. 

Ultimately,  Whaley  selected  the 
Panasonic  BM-ET300  Iris  Recognition 


Product  Diversion 


“Holograms  and  stickers  on  packaging  can 
be  duplicated  in  no  time  flat.” 

-MAX  BRENTON,  HEAD  OF  CORPORATE  SECURITY,  ROCHE  DIAGNOSTICS 


was  not  manufactured  in  the  United  States. 

CSO:  What  are  the  complications  in  work¬ 
ing  with  law  enforcement  abroad? 

Arnt:  China,  a  few  years  ago,  before  they 
got  into  the  World  Trade  Organization,  was 
a  huge  problem  for  all  consumer  product 
companies.  We  were  able  to  get  very  little 
enforcement  until  a  few  years  ago.  The 
problem  now  has  significantly  diminished 
because  the  Chinese  authorities  have  taken 
much  more  interest  in  terms  of  going  after 
this.  China  has  really  emerged  as  both  a 
consumer  and  a  manufacturing  dynamo, 
and  a  lot  of  that  is  because  they’re  taking 
intellectual  property  and  trademarks,  at 
least  from  our  experience,  much  more  seri¬ 
ously  than  they  did. 

We  did  find  some  other  countries  in 
Southeast  Asia  where  diversion  would  show 
up.  But  Southeast  Asia  in  general  had  coun¬ 
terfeiting  problems— for  instance,  Vietnam. 
But  you  would  see  these  little  mom-and-pop 
shops.  Sometimes  they  would  go  to  your 
packaging  manufacturer  and  purchase  over¬ 
runs  on  your  packaging,  and  then  put  an 
inferior  product  in  it,  go  out  and  sell  it  on 
the  marketplace. 

CSO:  Do  you  use  antidiversion  software? 

Arnt:  We  use  services  to  help  us  identify 
diversion.  I’m  not  sure  what  software  pro¬ 
grams  they  have.  A  lot  of  it  is  database  pro¬ 
grams  where  they’ve  had  experience  with  a 
diverter  before.  But  we  use  a  couple  of  serv¬ 
ices  that  assist  us  in  getting  a  heads-up: 

“This  particular  diverter  has  this  amount  of 
product  out  there  on  the  diverter’s  line.  If 
you’d  like  us  to  see  what  we  can  find  out 
about  it,  or  make  a  purchase  or  whatever, 
we  can  do  that.”  We  do  a  number  of  inves¬ 
tigative  things  that  way.  We  have  a  couple  of 
ex-diverters  who  provide  some  assistance  to 
us  in  terms  of  actually  being  able  to  go  out 


and  speak  the  language,  in  some  cases  make 
a  purchase  if  we  need  to,  and  help  us  iden¬ 
tify  some  of  those  channels. 

CSO:  Explain  the  “diverter  line.  ” 

Arnt:  The  diverter  line  is  where  they  know 
to  go  and  look  for  product  that  is  diverted  or 
sometimes  stolen.  I  don’t  know  the  address 
because  the  diverters,  the  people  that  work 
for  us,  don’t  give  us  that  information.  But 
there  is  such  a  thing  as  a  diverter’s  line 
where  they  can  go  and  put  their  requests  out 
there  and  respond  to  one  another.  Some  of 
it’s  online.  Some  of  it  is  simply  a  Rolodex; 
they  can  call  people  and  do  it  that  way. 

Brenton:  I’m  aware  of  a  couple  of  pro¬ 
grams  that  actually  will  digest  and  diagnose 
pop-ups  and  spam,  and  then  will  pursue  it 
by  giving  you  an  in-depth  report  on  your 
product— what’s  seen,  where  it  is,  what  it’s 
going  for.  Then  we  know  the  percentage  of 
profit  sometimes  or  the  percentage  of  loss. 
We  do  use  one,  but  we  really  don’t  want  to 
discuss  it  too  openly.  Mostly,  it  tells  us  the 
who,  what,  where,  when,  why.  Sometimes  it 
doesn’t  tell  the  how.  If  the  product  is  avail¬ 
able  on  the  Internet,  for  instance,  the  soft¬ 
ware  will  tell  you  an  e-mail  address  where 
you  can  purchase  this  product.  Or  it  will  tell 
you  the  name  or  the  phone  number  to  call. 

Arnt:  There  are  a  couple  of  other  services 
out  there.  We  will  do  monitoring  ourselves, 
but  we  also  have  somebody  do  that  for  us. 
We  use  an  Internet  Crimes  Group  product 
called  iThreat  Solutions.  In  some  cases, 
they’re  going  into  the  deep  Internet  chat 
rooms,  and  they’ll  monitor  Internet  auction 
and  sale  sites  for  you  and  spit  out  a  list  of 
what’s  out  there.  There’s  another  company 
called  GenuOne,  which  has  an  Internet 
service  that  lets  companies  punch  in  a  list  of 
their  brands  or  products  that  they  want  to 
monitor. 


CSO:  Can  you  enlist  customers  to  help  out? 

Arnt:  Absolutely.  We  get  a  fair  amount  of 
tips  from  customers  and  distributors,  like, 
“Hey,  there  are  things  showing  up  out  here 
that  are  below  our  price.”  So  between  your 
salespeople,  your  customers  and  your  dis¬ 
tributors,  you’ve  actually  got  a  pretty  good 
intelligence  network. 

CSO:  In  spite  of  that,  clearly  there’s  no  sim¬ 
ple  remedy  for  diversion.  You  gather  intelli¬ 
gence  from  many  sources,  you  think  about 
tracking  and  contracts  and  training.... 

Brenton:  Things  that  I  was  never  involved 
in  before,  I’m  totally  involved  in  now.  For 
instance,  the  package:  the  look  of  it,  what 
needs  to  be  on  it,  identifying  marks  on  or 
inside  the  package.  Show  the  value  of  how 
security  can  increase  their  revenue  and  give 
them  background  investigations. 

You’re  protecting  the  customer,  and 
you’re  protecting  your  investment  for  your 
stockholders  and  for  your  corporation.  But 
most  important,  you’re  protecting  the  end 
customer,  the  patient. 

Arnt:  I  think  I  was  fortunate;  the  company 
had  a  pretty  good  understanding  to  begin 
with.  To  Max’s  point,  I  think  that  it  is  some¬ 
thing  where  security  can  really  show  some 
value  added.  Let’s  say  that  you  find  $10  mil¬ 
lion  worth  of  diverted  product.  And  believe 
me,  that  isn’t  a  huge  amount  of  diverted 
product  sales.  If  you’ve  got  a  15  percent 
profit  lost  opportunity,  you’re  looking  at  a 
million  and  a  half  dollars  that  you  can  stick 
back  on  the  bottom  line.  ■ 


Cut  Your  Losses 


CSO  talks  with  three  experts  on  loss  prevention. 

Read  “What  Do  the  Mob,  eBay  and  Winona  Ryder  Have 
in  Common?"  from  the  April  2004  issue.  Go  to 

www.csoonline.com/printlinks. 


48  www.csoonline.com  February  2005 


BIOMETRICS 

AUTHENTICATION 


Iris  recognition  requires  no  cards  or  tokens  that  can  be  lost,  stolen  or 
duplicated  and  no  passwords  that  can  be  forgotten  or  corrupted.  Users 
can  be  authenticated  without  even  touching  the  technology. 


Readers  because  they  “delivered  the 
performance  characteristics  we  wanted 
to  tightly  monitor  and  control  access  to 
the  facility  and  internal  labs.”  In 
August  2004,  the  facility  deployed  the 
readers  at  the  research  facility’s  main 
entrance  and  at  the  entrances  and  exits 
to  the  laboratory  area.  Each  reader  fea¬ 
tures  a  multi-camera  system  offering 
“one-glance”  authentication  and  an 
audio  and  visual  user  guidance  system 
for  fast,  simple  operation.  “This 
process  is  very  easy,”  says  Whaley,  who 
personally  instructs  new  users  and 
hasn’t  yet  found  anyone  who  can’t  fig¬ 
ure  out  how  to  use  the  system. 

For  added  reliability,  the  BM-ET300 
incorporates  an  embedded  processor 
with  real-time  operation,  allowing  its 
use  in  a  systems  configuration.  The 
Panasonic  BM-ET300  also  features  a 
Wiegand  input  and  output  for  quick 
integration  with  virtually  any  access- 
control  system  (in  the  UCSB  case, 
Panasonic’s  BM-ET300s  seamlessly 
integrated  with  the  Amag  Technology 
software  in  use  at  the  research  facility). 

Not  surprisingly,  the  iris  readers 
initially  cost  more  than  a  new  or 
upgraded  card-reader  system.  But  on¬ 
going  maintenance  costs  have  dropped 
significantly  because  the  facility  is  no 
longer  replacing  lost  or  damaged  con¬ 
trol  cards.  As  Whaley  puts  it:  “People 
don’t  lose  or  damage  their  irises,  and 
they  can’t  be  replicated.” 

The  iris  readers  provided  another 
advantage:  “We  use  them  to  accurately 
track  and  record  time  and  attendance 
for  billing  purposes,”  Whaley  says.  But 
he  adds  that  the  biggest  benefit  is  that 


the  UCSB  Nanofabrication  Laboratory 
is  today  more  secure  than  ever:  “We 
have  a  high  level  of  confidence  with  the 
iris-reader  technology  in  place.”  B 


For  more  information,  visit  the 
Panasonic  Security  Systems  Web 

SITE  AT  WWW.PANASONIC.COM/SECURITY 

or  call  866-726-2288. 


BM-ET300 


private® 


It’s  the  Iris  Reader  for  any  application. 

Panasonic’s  BM-ET300  Iris  Reader  performs  to  the  highest  standards  in  every 
Weigand-compatible  access  control  application.  Whether  safe-keeping  cash, 
pharmaceuticals,  data,  patients  or  our  nation’s  borders,  the  BM-ET300  delivers 
the  highest  forms  of  authentication  and  identification  attainable  from  any 
biometric  device.  Along  with  an  array  of  features  that’s  clearly  unequalled. 

All  the  more  reasons  why  the  versatile  BM-ET300  is  worth  looking  into. 


Visit  our  web  site  at  www.panasonic.com/irisreaders  or  call  toli  free  1  -866-  PAN-CCTV 


C<S%jpe;.cspectives 


between  the  art  and  science  of  security, 
continuously  weighed  against  the  needs  of 
the  business.  Getting  the  “science”  part  of  the 
equation  right  is  the  easier  part.  The  technologie; 
are  known  entities,  and  better  ones  continue  to 
evolve.  There  are  quantitative  measurements 
around  such  issues  as  intrusion  detection,  foren¬ 
sics  and  regulatory  compliance,  along  with  more 
mature  attempts  to  quantify  the  ROI  of  security. 


It’s  the  “art”  of  security  that’s  the  harder  part— the 
art  of  diplomacy,  of  persuasion,  of  getting  into  and 
understanding  other  mindsets.  It’s  everything 
from  establishing  security  procedures  everyone 
will  actually  follow  to  fostering  positive  relations 
with  senior  executives  and  the  board  of  directors. 
It’s  getting  the  staff  to  think  like  a  hacker  or 
terrorist  to  get  ahead  of  potential  threats. 


Join  your  peers  from  business,  industry  and 
government  as  we  tackle  the  challenges  facing 
today’s  senior  security  executives. 


April  10-12, 2005 

Hyatt  Regency  Huntington  Beach 

Huntington  Beach,  CA 


Sponsored  by 


Presented  by 


The  Resource  for 
Security  Executives 


yr 

sPPl 

I1T*1 

IT 

11 

k 

HI  i 

LI 

P 

O 

1 

ala 

n< 

zm 

s  t. 

h 

We’ll  examine  this  complex  balancing  act  by  looking  at  what  the  top 
practitioners  are  thinking  and  doing,  and  by  listeningto  what  leading 
security  and  privacy  experts  think  will  affect  the  landscape  of  the  future. 


Governance  and  Convergence: 
Getting  It  Right 

The  convergence  of  physical  and  informa¬ 
tion  security,  if  effectively  governed  within 
an  organization,  assigns  accountability  for 
security  strategy  and  business  plan  cre¬ 
ation  at  the  highest  levels.  It  can  enable 
company  leadership  to  identify,  prioritize 
and  balance  security  issues  and  needs  of 
the  business  through  a  more  comprehen¬ 
sive  approach. 

Enterprise  Risk  Management: 

A  Matter  of  Focus 

Looking  at  and  balancing  risk  on  an  enter¬ 
prise  level  is  the  only  effective  way  to  man¬ 
age  a  corporation  in  our  very  complex 
world.  Explore  how  enterprise  risk  man¬ 
agement  can  give  a  single  view  of  all  types 
of  risks,  and  an  executive-level  manage¬ 
ment  strategy  to  deal  with  them. 

Security  as  a  Business  Enabler 

Perhaps  the  hardest  part  of  security  is  to 
cost  justify  it  and  show  its  value  to  the 
business.  It’s  like  buying  an  insurance 
policy— no  one  really  wants  to  spend  the 
money.  What  if  you  could  prove  that 
security  really  can  add  value? 

What’s  Privacy  Got  to  Do 
With  It? 

The  importance  of  balancing  privacy  and 
security  in  a  digital  age  is  only  overshad¬ 
owed  by  the  perceived  difficulty  of  actually 
doing  it.  The  current  economic,  legal,  and 
regulatory  challenges  after  9/11  have 
made  it  all  the  more  important  to  ensure 
the  adoption  of  good  laws  and  technolo¬ 
gies  that  protect  privacy  and  security  at 
the  same  time.  We  provide  a  roadmap. 

The  Cost  of  Compliance  vs.  the 
Cost  of  Non-Compliance 

Some  pundits  say  security  on  the  way  to 
becoming  a  fully-regulated  industry,  what 
with  an  increasing  number  of  official  direc¬ 
tives  from  legislative  bodies,  regulatory 
agencies  and  industry  consortia  around 
the  world.  Toss  in  partially  overlapping  or 


completely  diverse  requirements  from 
different  agencies  and  you’re  guaranteed 
that  compliance  will  be  that  much  more 
difficult— and  very,  very  expensive.  In  this 
session,  we  look  at  the  potential  costs  of 
compliance,  weighed  against  the  risks  of 
non-compliance.  What  can  CSOs  do  to 
understand  the  "dollars  and  sense”  of  it 
all,  and  to  prioritize  your  organization's 
compliance  list? 

The  Role  of  Government:  One 
Step  Forward,  Two  Steps  Back? 

The  US  government,  particularly  DHS,  has 
had  tremendous  opportunities  to  advance 
the  public  good  and  protect  the  American 
economy  by  strengthening  both  cyber  and 
physical  security  and  by  building  more 
cooperative  relationships  with  the  private 
sector.  But  there’s  a  perception  that  it  has 
failed  to  seize  those  opportunities  and  to 
move  forward.  What  should  we  realistically 
expect— and  how  do  we  make  it  happen? 

The  Art  of  Persuasion: 

“Selling  Up”  in  the  Organization 

Senior  management  and  boards  of 
directors  often  still  view  security  as  an 
inconvenient  cost  of  doing  business.  Many 
CSOs  today  have  yet  to  report  directly  to 
the  CEO  or  stand  before  their  organiza¬ 
tions’  boards,  and  have  a  fair  way  to  go 
before  they’re  taken  seriously  as  C-level 
executives.  Each  of  our  panelists  brings  a 
unique  perspective  to  helping  CSOs 
perfect  the  art  of  persuasion. 

Plus  More  Peer-to-Peer 
Networking  Opportunities 

•  CSO  Golf  Tournament 

•  Moderated  Discussion  Groups 

•  Luncheon  Discussion  Roundtables 

•  DrillDown  Breakout  Sessions 

•  Networking  Receptions 

•  Sponsor  Hospitalities 


SPEAKERS 

Michael  J.  Assante,  CSO, 

American  Electric  Power 

Bob  Bragdon,  Publisher,  CSO  magazine 

David  Burrill,  CSO, 

British  American  Tobacco 

Roger  Cochetti,  Group  Director, 

US  Public  Policy,  CompTIA 

Bob  Hayes,  CSO,  CXO  Media  Inc. /IDG  & 
Former  CSO,  Georgia-Pacific  Corporation 

Nuala  Kelly,  Chief  Privacy  Officer,  DHS 
David  Kent,  CSO,  Genzyme  Corporation 

Lew  McCreary,  Editor  in  Chief, 

CSO  magazine 

James  McDonnell,  Chief  Security  & 
Information  Officer,  USEC  and  Former 
Director,  Protective  Security  Division 
of  the  Information  Analysis  and  Infrastructure 
Protection  Office,  DHS 

Peter  Metzger,  Partner,  Heidrick  &  Struggles 

Bhavesh  Patel,  Vice  President,  Information 
Security,  Genzyme  Corporation 

John  Pontrelli,  CSO, 

TriWest  Healthcare  Alliance 

Jeffrey  Rosen,  Professor  of  Law,  George 
Washington  University  and  Author  of  The 
Naked  Crowd  and  The  Unwanted  Gaze 

Jeff  Rosenthal,  Vice  President, 

BlessingWhite,  Inc. 

Marshall  Sanders,  Vice  President, 

Global  Security,  Level  3 

Krizi  Trivisani,  CISO, 

George  Washington  University 

Ira  Winkler,  Industry  Guru  and  Author  of 
Corporate  Espionage  and  Spies  Among  Us 

Amit  Yoran,  Former  Director,  National  Cyber 
Security  Division  of  the  Information  Analysis 
and  Infrastructure  Office,  DHS 

Jonathan  Zittrain,  Conference  Moderator  and 
Cofounder,  Berkman  Center  for  Internet  & 
Society,  Harvard  Law  School 


To  register  and  for 
more  information 

call  800.366.0246  or  visit 
www.csoonline.com/conferences 


Everyone  knows  it's  cheaper  and 
better  to  build  in  security  from 
the  start  of  a  technology  project. 
Following  the  federal  government’s 
lead,  forward-thinking  companies 
have  formalized  the  process. 
Here’s  why  you  should  too. 

By  Lauren  Gibbons  Paul 


TWO  YEARS  AGO,  BRUCE  BONSALL  decided  to  build 
an  addition  to  his  house.  Plans  in  hand,  Bonsall's  first 
stop  was  his  town’s  building  authority  to  begin  the  per¬ 
mitting  process.  Along  the  way,  Bonsall,  the  CISO  for 
MassMutual  Financial  Group,  got  to  thinking:  What  if 
there  were  a  building  permit  process  for  IT  projects? 

At  the  time,  Bonsall  recalls,  “Too  many  projects 
were  making  it  almost  to  production  without  adequate 
security  consideration."  On  more  than  one  occasion, 
tipped  off  by  the  auditing  department  that  a  new  sys¬ 
tem  did  not  adhere  to  security  policies,  Bonsall  had  the 
unappealing  task  of  sending  it  back  for  more  work- 
such  as  building  in  a  connection  to  the  enterprise  elec¬ 
tronic  authentication  system— before  the  application 
could  be  deployed.  Needless  to  say,  these  situations 
left  everyone  unhappy. 


“I  wanted  to  create  a  process  that  adds  value  and  gets 
[security]  involved  up  front,  rather  than  stall  the  proj¬ 
ect  at  the  11th  hour,"  he  says.  Extending  the  building 
permit  analogy  to  IT  projects  suddenly  seemed  like  the 
ticket.  "Before  you  start  [a  building  project],  the  build¬ 
ing  inspectors  want  to  see  your  plans,  they  want  to  ask 
you  some  questions  about  your  project.  As  you  go 
along,  you  have  some  inspections.  When  you’re  done, 
they  sign  off  that  everything  was  done  properly  and 
you  get  a  certificate  of  occupancy.  Most  people  are 
familiar  with  the  process,”  says  Bonsall. 

Bonsall  had  stumbled  upon  a  concept  that  got  its 
start  in  the  Department  of  Defense  roughly  15  years 
ago.  Goaded  by  late  '80s  risk  legislation,  the  federal 
government  requires  its  IT  projects  to  go  through  a 


IN  THIS  STORY:  How 

certification  and  accred¬ 
itation  processes  build 
security  into  application 
development  ■  How  it 
pays  off 


52 


www.csoonline.com 


February  2005 


ILLUSTRATION  BY  LEO  ESPINOSA 


Application  Development 


How  the  Feds  Do  It 


Starting  in  the  early  1990s— long  before  the 
MyDoom  worm,  I  Love  You  virus  and  the  tragedy  of 
9/11— the  Department  of  Defense  developed  the 
DoD  Information  Technology  Security  Certification 
and  Accreditation  Process  (Ditscap). 

Ditscap  is  a  standardized  certification  and 
accreditation  (C&A)  process  that  DoD  employees 
and  contractors  must  follow  at  every  stage  of  an  IT 
project.  The  certification  portion  of  the  process 
means  the  system  has  been  analyzed  as  to  how 
well  it  meets  security  requirements  laid  out  in  appli¬ 
cable  federal  documents  (such  as  the  Orange  Book, 
part  of  the  National  Security  Agency’s  Rainbow 
Series  of  books  on  how  to  evaluate  the  security  of 
computer  systems). 

The  final  certification  statement  says  to  what 
degree  (in  terms  of  percentage)  the  system  com¬ 
plies  with  the  specified  requirements.  For  example, 
this  system  meets  85  percent  of  the  requirements. 
Of  the  15  percent  of  the  requirements  the  system 
does  not  meet,  8  percent  represent  high-risk  vul¬ 
nerabilities  while  7  percent  represent  medium-risk 
vulnerabilities.  Then  an  accrediting  authority  (from 
outside  of  the  security  organization)  can  elect  to 
assume  the  identified  risks  inherent  in  the  system 
by  deploying  it,  send  it  back  for  more  work  or  table 
it  altogether. 

Ditscap  comprises  four  phases  that  span  the 
project’s  lifecycle: 

1.  Definition.  The  designated  accredit¬ 
ing  authority,  the  user  representative, 
the  project  manager  and  the  certifier  come 
together  to  determine  what  level  of  certification  the 
project  will  entail,  as  well  as  define  the  require¬ 
ments. 


2.  Verification.  The  system  is  developed  and  the 
certification  process  is  analyzed  to  ensure  it  is 
sufficient.  Once  work  on  the  system  is  complete, 
the  C&A  team  determines  whether  the  system  is 
ready  to  be  validated. 

3.  Validation.  The  system  test  and  evaluation 
describes  in  detail  the  security  features  to  be 
tested.  The  C&A  team  also  produces  several  other 
documents,  including  the  risk  assessment  report. 
The  final  step  is  the  formal  accreditation,  issued  to 
an  IT  system  that  is  approved  by  the  crediting 
authority  to  operate  in  a  particular  security  mode 
using  a  prescribed  set  of  safeguards  at  an  accept¬ 
able  level  of  risk. 

4.  Post-accreditation.  Includes  activities  necessary 
to  operate  and  manage  the  system  at  an  accept¬ 
able  level  of  residual  risk.  Begins  after  the  system 
has  been  deployed  into  the  production  environment 
and  continues  throughout  the  life  of  the  system. 


formal  security  certification  and  accreditation 
(SC&A)  process— known  by  the  unwieldy  acronym 
Ditscap  (see  “How  the  Feds  Do  It,”  this  page)— from 
inception.  “Certification  is  the  documentation  and 
evaluation  of  the  system  against  a  specific  set  of 
guidelines.  Accreditation  refers  to  the  point  where  a 
decision  maker  outside  the  security  organization 
chooses  to  accept  whatever  residual  risk  remains 
with  the  system.  That  person  then  has  the  responsi¬ 
bility  to  actively  manage  that  risk,”  says  Hart  Ross- 
man,  chief  technology  officer  for  the  enterprise 
security  solutions  business  unit  at  Science  Applica¬ 
tions  International  Corp.  (SAIC),  which  has  a  prac¬ 
tice  helping  organizations  establish  SC&A  programs. 

Many  private-sector  companies  have  in  the  past 
shown  a  reluctance  to  invest  the  time  necessary  to 
build  security  into  the  IT  project  lifecycle.  Now  that’s 
changing,  driven  in  part  by  the  greater  accountabil¬ 
ity  created  by  the  Sarbanes-Oxley  Act  and  other  reg¬ 
ulations.  Two  financial  services  companies  profiled 
here,  MassMutual  and  Nationwide  Mutual  Insur¬ 
ance,  provide  insight  into  making  the  SC&A  process 
work.  Late  application  changes  are  costly,  regard¬ 
less  of  what  industry  you’re  in,  so  CISOs  may  find 
these  ideas  worth  imitating. 

STARTING  WITH  ATTITUDE 

In  MassMutual’s  case,  the  familiarity  of  the  building 
permit  concept  also  helped  Bonsall  and  his  group 
smooth  over  some  political  bumps  in  establishing 
the  program  about  a  year  ago.  For  starters,  the  secu¬ 
rity  group  was  not  “out  to  get”  the  IT  staff  any  more 
than  the  town  building  officials  were  throwing  their 
weight  around  with  local  homeowners.  Still,  going 
from  having  no  formal  process  to  having  a  full-bod¬ 
ied  program  is  difficult.  “There  was  a  fair  amount  of 
campaigning  up  front.  Senior  management  imme¬ 
diately  understood  why  we  needed  to  do  this,”  he 
says.  With  the  critical  executive  support  in  place,  18- 
year  MassMutual  veteran  Bonsall  (who  reports  to  the  company’s 
CIO)  and  his  staff  (two  of  the  28  information  security  personnel 
would  serve  as  IT  project  security  consultants)  had  to  convince  the  IT 
professionals  that  this  was  worthwhile,  tailoring  the  message  to  fit  the 
specific  audience.  “The  developers  had  to  understand  why  they  were 
being  forced  to  go  through  this.  Project  managers  had  to  understand 
there  are  security  processes  that  have  to  be  adhered  to,”  says  Bonsall. 

And  change  is  a  two-way  street.  Bonsall’s  group  altered  its  process 
to  better  meet  the  IT  group’s  needs.  When  IT  building  permits  first 
began,  everyone  who  wanted  to  buy  a  product,  build  an  application 
or  outsource  a  system  had  to  spend  at  least  an  hour  filling  out  a 
detailed  questionnaire,  including  information  such  as  what  kind  of 
data  was  involved  and  which  platforms  the  new  application  would 


touch.  After  some  feedback  (read:  complaints),  Bonsall  put  in  a  pre¬ 
liminary  step  called  triage.  Anyone  with  a  project  in  the  works  now 
calls  or  e-mails  one  of  the  security  consultants,  who  quickly  determines 
whether  the  project  is  completely  innocuous  (if  there  is  no  confiden¬ 
tial  information  and  the  project  will  not  affect  the  infrastructure  at  all, 
for  example)  or  whether  it  merits  closer  scrutiny.  About  15  percent  of 
proposed  projects  skate  past  the  full-blown  review,  saving  everyone 
time  and  paperwork. 

Responsiveness  and  a  willingness  to  tweak  the  process  go  far 
toward  establishing  information  security  as  a  trusted  corporate  adviser 
rather  than  a  cop  or  enforcer.  That  is  key,  according  to  Jack  Jones, 
CISO  and  associate  vice  president  for  Nationwide  Mutual  Insurance. 
Jones  implemented  an  SC&A  process  four  years  ago.  “We’d  rather  play 


54  www.csoonline.com  February  2005 


the  role  of  counselor,”  he  says.  “It 
isn’t  that  difficult  because  no  one 
likes  the  stress  and  conflict  associ¬ 
ated  with  all  those  llth-hour  crises. 

We  worked  hard  to  make  it  stream¬ 
lined  rather  than  a  boat  anchor.... 

We  have  become  a  member  of  the 
team  rather  than  the  enemy.” 

TO  EACH  HIS  OWN 

Each  organization  implements  SC&A 
in  its  own  way  (see  the  boxes  on  this 
page). 

Though  Nationwide  started  its 
SC&A  in  2000,  it  is  only  in  the  past 
two  years  that  the  process  has 
matured  and  become  part  of  its  sys¬ 
tem  development  lifecycle.  Jones 
leads  a  team  of  100  in  information 
security;  between  25  and  30  people 
work  exclusively  on  SC&A.  This  year 
about  800  projects  (including  sig¬ 
nificant  hardware  purchases  as  well 
as  packaged  and  homegrown  appli¬ 
cations)  will  go  through  the  SC&A 
process.  Each  project  is  assigned  a 
consultant  who  will  be  part  of  the 
project,  ideally  from  concept  to 
retirement.  Each  consultant  owns 
from  six  to  20  projects  at  a  time,  the 
high  end  of  that  range  being  for  short 
periods  when  a  business  unit  has  a 
particular  push  for  new  applications. 

The  consultants  are  first  and  fore¬ 
most  security  experts— generally 
holding  CISSP  or  GLA.C  certification, 
not  formal  project  management  cer¬ 
tification— but  Jones  notes  that  they 
also  require  excellent  communication  and  people  skills. 

The  conclusion  of  the  process  is  also  important.  At  MassMutual, 
when  the  consultant  signs  off  on  the  appropriate  measures  being  in 
place,  Bonsall  comes  back  to  sign  the  certificate  of  occupancy,  then  the 
application  or  system  is  ready  to  be  placed  into  production.  Bonsall’s 
group  consulted  on  about  360  projects  last  year. 

Nationwide’s  final  step,  called  accreditation,  has  a  twist  that  bor¬ 
rows  from  the  federal  government’s  model.  Here,  a  decision-maker 
from  outside  the  security  domain  (such  as  the  CIO  or  a  business  exec¬ 
utive)  attests  that  security  has  been  accounted  for  and  then  accepts  the 
responsibility  for  tracking  and  managing  the  residual  risk  in  run¬ 
ning  the  system.  No  matter  how  much  security  is  built  in,  every  appli¬ 
cation  or  system  has  some  leftover  risk.  “Some  security  executives 
believe  businesspeople  can’t  make  the  right  decision  about  taking  on 


How  Nationwide 
Does  It 

1.  The  sponsor  of  the  proposed  IT 
project  fills  out  a  20-question  secu¬ 
rity  questionnaire  that  specifies  the 
type  of  information  involved,  the 
criticality  of  the  systems  and 
connectivity  with  other  platforms, 
outside  systems  and  the  like. 

2.  An  information  security  consult¬ 
ant  reviews  the  questionnaire  and 
assigns  the  project  a  risk  level 
based  on  weighted  criteria. 

3.  The  consultant  checks  in  with  the 
IT  project  team  throughout  devel¬ 
opment  and  also  determines  which 
security  criteria  are  appropriate, 
based  on  the  type  of  project  and  the 
degree  of  security  risk. 

4.  With  development  complete,  the 
consultant  certifies  in  a  document 
that  the  project  has  addressed  all 
relevant  security  measures. 

5.  An  accrediting  authority  (outside 
of  security)  decides  whether  to 
assume  the  residual  risk  inherent  in 
the  system.  If  the  accreditation 
goes  through,  the  system  is 
deployed. 

6.  The  accrediting  authority  has 
responsibility  throughout  the 
system’s  lifecycle,  checking  period¬ 
ically  to  ensure  that  the  level  of 
attendant  risk  has  not  increased. 


information  security  risk.  I  believe  those  decisions  should  be  made 
by  businesspeople  because  risk  is  a  business  issue.  Our  job  is  to  give 
them  enough  information  to  make  an  informed  decision,”  says 
Jones.  Even  at  the  end  of  a  lengthy  certification  process,  the  decid¬ 
ing  authority  might  make  a  deci¬ 
sion  that  you  don’t  agree  with. 
“There  are  times  when  we  pro¬ 
vide  the  information,  and  we  per¬ 
sonally  believe  they  are  not 
making  the  right  call,”  says  Jones. 
That’s  OK,  because  “they  under¬ 
stand  the  project’s  reward  com¬ 
ponent;  we  don’t  have  visibility 
into  that.  At  the  end  of  the  day, 
these  are  business  decisions.” 

MassMutual’s  process  has  not 
been  in  place  long  enough  for 
Bonsall  to  have  metrics  on  money 
or  time  saved.  Bonsall  believes  he 
will  have  that  evidence  within  the 
next  year.  Jones,  who  has  been  at 
this  roughly  twice  as  long,  sees 
many  benefits.  For  one  thing, 
with  each  new  project  everyone 
learns  more  about  security.  “The 
IT  people  begin  to  absorb  what 
we’re  doing  and  come  to  under¬ 
stand  our  perspective.  They  have 
become  much  more  self-sufficient 
over  time  so  the  issues  that  we  do 
see  are  much  less  problematic,” 
he  says. 

Also,  Nationwide  tracks  its 
SC&A  efforts  in  a  knowledge 
base.  Jones  now  has  the  luxury 
of  showing  his  boss,  the  vice  pres¬ 
ident  of  IT  risk  management,  how 
many  projects  started  out  high- 
risk  that  were  labeled  low-risk  by  the  end  of  the  process.  (Nationwide 
declines  to  make  the  numbers  public.)  He  can  also  pull  up  the  num¬ 
ber  of  pending  and  completed  projects  and  how'  much  time  each 
took.  Says  Jones,  “We  have  a  tremendous  amount  of  information 
about  how  we’re  managing  this  process.  Now  we  can  show'  manage¬ 
ment  our  value  proposition.”  ■ 

Lauren  Gibbons  Paul  is  a  freelance  writer  based  near  Boston.  E-mail  feedback  to  Editor 
Derek  Slater  at  dslater@cxo.com. 


Robert  Frances  Group  agrees  that  security  requirements  should  be  outlined  in  the  early 
stages  of  a  software  project.  Read  "Security  and  the  Application  Development  Process,” 
a  CSOonline.com  Analyst  Report.  Go  to  www.csoonline.com/printlinks. 


How  MassMutual 
Does  It 

1.  An  IT  person  sends  a  request  for 
an  IT  building  permit  to  the  infor¬ 
mation  security  department.  An 
infosec  "consultant”  goes  through 
a  short  triage,  and  either  sends  the 
project  for  more  evaluation  or  gives 
it  a  green  light  if  the  security  risk  is 
minimal. 

2.  The  assigned  consultant  helps 
the  project  manager  with  a  more 
detailed  security  questionnaire. 

The  answers  help  the  security 
consultant  categorize  the  project 
as  high-,  medium-  or  low-risk. 

3.  The  consultant  continues  to  meet 
with  the  IT  project  team  during 
development  or  vendor  selection, 
checking  the  work  against  docu¬ 
mented  in-house  security  policies. 

4.  After  basic  system  testing,  the 
project  applies  for  a  certificate  of 
occupancy,  then  heads  into  the 
quality  assurance  phase  of  testing. 

5.  After  Q/A,  the  CISO  signs  the 
certificate  of  occupancy,  and  the 
application  or  system  is  placed  in 
the  production  environment. 


February  2005  www.csoonline.com  55 


Audit  Agitation 

What  do  you  do  when  your  customers  want  you  to  do  an 
independent  security  audit— and  your  CEO  doesn’t? 


Y  CEO  IS  A  PSYCHOPATH.  NO,  REALLY  HE  IS. 
He’s  a  lying,  manipulating,  amoral,  selfish,  screaming-like-a-madman,  intellec¬ 
tually  challenged,  dysfunctional  excuse  for  a  human  being.  And  those  are  his 
good  qualities.  But,  surprisingly,  I  read  recently  that  I  am  not  alone  in  enjoying 
such  a  CEO.  It’s  actually  quite  common  for  psychopaths  to  become  CEOs.  So  much 
so  that  a  company  in  the  United  Kingdom  now  specializes  in  employee  testing  to 
try  to  identify  and  hopefully  retrain  those  exhibiting  psychopathic  tendencies 
before  it’s  too  late,  and  they  are  taking  the  express  train  to  the  top  of  the  corpo¬ 
rate  ladder.  Too  bad  this  company  didn’t  exist  while  my  piece  of  work  was  in  his 
formative  corporate  years. 

I  tell  you  all  this  not  for  sympathy,  but  so  that 
you  can  imagine  my  discomfort  when  I  had  to 
approach  my  CEO  and  explain  what  a  SAS  70 
was  and  why  we  needed  it. 

For  those  who  don’t  know,  a  SAS  70,  or 
Statement  on  Auditing  Standards  No.  70,  is 
an  internationally  recognized  standard 
developed  by  the  American  Institute  of 
Certified  Public  Accountants.  A  SAS  70 
audit  represents  that  an  IT  services 
provider  (for  example,  a  financial  serv¬ 
ices  organization)  has  been  through 
an  in-depth  audit  of  its  control  activi¬ 
ties,  which  generally  include  informa¬ 
tion  technology,  security  and  related 
processes.  The  Sarbanes-Oxley  Act  of 
2002  makes  SAS  70  audits  even  more 
important  to  the  process  of  reporting 
on  effective  internal  controls  at  IT  serv¬ 
ices  organizations.  That’s  because  the 
reports  signify  that  a  service  organization 
has  had  its  control  objectives  and  control 
activities  examined  by  an  independent  account¬ 
ing  and  auditing  firm,  as  Section  404  of  Sarbanes- 
Oxley  requires. 

And  I  had  to  explain  all  this  to  a  man  who  has  the  patience  and  temper 
of  a  2-year-old  with  a  diaper  rash.  Right. 

It  Wasn’t  Exactly  a  Tea  Party 

I  approached  the  CEO’s  office  with  a  queasy  feeling  of  resignation  and  trepidation. 

“Mr.  Blowhard  is  running  late,”  his  attractive,  blond  administrative  assistant 


informed  me.  “He’s  very  busy  these  days,  you  know,”  she 
continued,  with  a  slightly  irritated  frown. 

Great,  I  thought,  I  can  enjoy  my  misery  stew  a  little 
while  longer.  I  sat  in  an  overstuffed  leather  chair  in  the 
waiting  area  outside  his  office.  Inside,  I  could  hear 
Blowhard  screaming  at  his  latest  victim,  his  voice  rising 
steadily  in  a  paroxysm  of  hysteria.  Suddenly  the  door 
banged  open  and  out  the  CEO  sprang.  His  bald  head 
sported  beads  of  sweat. 

He  thrust  out  his  arm,  directing  the  way  out.  “And 
don’t  f***ing  come  back  here  until  you  get  it  right!”  he 
shouted.  His  unfortunate  victim  slithered  past  him. 

Let  me  interrupt  for  a  moment  and  tell  you  that  I’m  not 
making  this  up.  My  CEO  is  really  this  bad.  Only  a  few 
identifying  details  in  this  story  have  been  altered,  and 
the  names  of  the  ignorant  and  incompetent  have  been 
changed  to  protect  their  privileged  status. 

“Who’s  next?”  he  demanded.  His  assistant  pointed  at 
me.  Maybe  I  should  have  worn  barbeque  sauce  to  this 
meeting,  I  thought. 

“Get  in  here!”  he  yelled,  and  stomped  back  into  his 
office.  I  followed  him  at  a  safe  distance. 

He  turned  suddenly  and  thrust  his  face  an  inch  from 
mine.  “What  do  you  want?” 

And  a  good  morning  to  you  too,  sir,  I  thought. 

“Well,  Mr.  Blowhard,  we’ve  been  getting  a  lot  of 
requests  from  our  clients  recently  to  provide 
SAS  70  documentation  on  our  information 
security  controls  and  practices.” 

“I  don’t  care  about  that.  I  want  to  know 
what  you’re  going  to  do  about  passwords.” 

I  thought  for  a  moment.  What  did  he  mean? 
Do  away  with  them?  Implement  single  sign 
on?  I  decided  to  bite. 

“Is  there  a  problem  with  pass¬ 
words?”  I  asked. 

“I  couldn’t  remem¬ 
ber  my  password  this 
morning!  I  had  to 
wait  until  my  secre¬ 
tary  logged  me  on.  I 
don’t  like  waiting. 
Waiting  is  money.  I 
want  you  to  do  away 
with  passwords.”  With  a 
dismissive  wave  of  his  hand, 
he  headed  back  to  his  desk. 

I  decided  to  ignore  the  obvious  violation  of  policy  pro¬ 
hibiting  the  sharing  of  passwords  and  to  pick  my  battles. 
I  cleared  my  throat.  “That’s  actually  not  a  good  idea,  sir.” 

He  stopped  and  wheeled  to  face  me.  “Why  not?”  he 
said.  I  could  have  counted  the  number  of  veins  sticking 
out  on  his  forehead.  “Don’t  you  ever  disagree  with  me!” 


56  www.csoonline.com  February  2005 


ILLUSTRATION  BY  DAVID  HOLLENBACH 


“Without  passwords,”  I  continued,  “any¬ 
one  could  get  into  your  computer.  That 
means  they  could  read  all  of  your  files,  your 
e-mails,  even  send  e-mails  under  your  name. 
That  could  put  the  company  at  risk.” 

“There’s  nothing  on  my  computer  that’s 
sensitive!  We’re  an  open  company.”  The 
irony  did  not  escape  me.  But  then  again,  only 
poets  get  paid  for  pointing  out  irony. 

“Someone  could  send  an  embarrassing 
e-mail  from  your  computer.  Say  they  wrote  to 
The  New  York  Times  or  a  major  client.” 

“They  could  do  that  now  by  creating  a 
Hotmail  account  with  my  name  on  it,”  he 
thundered. 

“Yes,  but  the  e-mail  wouldn’t  be  from  our 
company’s  domain  and....” 

“Domain?  You  come  in  here  and  waste 
my  time  by  talking  security  technobabble! 
This  isn’t  the  CIA!” 

“Actually,  I  came  in  here  to  discuss  what 


our  clients  have  been  asking  for— a  SAS  70. 
It’s  a  third-party  assessment  of  our  security.” 

“We  have  you  to  do  our  security!  Are  you 
telling  me  you’re  not  doing  your  job?”  He 
was  turning  crimson.  Maybe  I  should  have 
updated  my  resume  and  put  more  money  in 
that  rainy-day  fund. 

“Let  me  explain,”  I  said.  “There  are  regu¬ 
latory  requirements— like  Sarbanes-Oxley— 
that  require  companies  to  check  the  security 
of  their  information  services  providers.  To 
our  clients,  we  are  an  information  services 
provider.  Our  clients  are  asking  us  for  an 
independent,  third-party  assessment  of  our 
information  security  practices  so  that  they 
can  be  assured  that  we  aren’t  endangering 
their  computing  environment.” 

“What  does  it  cost?”  he  demanded.  Now 
we  were  getting  down  to  business. 

“Because  of  the  size  of  the  company  and 
the  services  we  provide,  it  will  probably  cost 
us  around  a  quarter  of  a  million.” 

“What?!  You  want  to  spend  a  quarter  of  a 
million  dollars  for  a  piece  of  paper?” 


“Our  clients....” 

“If  they  don’t  have  anything  better  to  do, 
then  tell  them  to  go  f***  themselves!  Now  get 
out  of  here!” 

“But....” 

“I  said  get  out!”  he  shouted.  The  door 
slammed  behind  me. 

Great.  Now  What? 

I  trudged  back  to  my  desk  and  contemplated 
my  options.  Not  only  had  I  not  gotten 
approval  for  the  audit,  but  I  had  actually 
been  given  an  order  to  get  rid  of  passwords, 
which  would  have  been  crazy.  I  got  out  a 
legal  pad,  drew  three  columns  and  labeled 
them  “Option,”  “Pros”  and  “Cons.” 

In  the  first  column,  I  put  the  password 
order.  We  could  implement  a  biometric  sign- 
in,  which  would  allow  us  to  drop  the  pass¬ 
word  and  go  with  just  the  biometric 
identifier.  But  that  would  involve  a  lot  of 


effort  and  money,  and  no  one  else  in  the  com¬ 
pany  was  complaining  about  passwords.  I 
also  had  a  obligation  as  a  security  profes¬ 
sional  not  to  weaken  security  by  doing  away 
with  passwords.  What  doctor  would  know¬ 
ingly  put  the  lives  of  his  patients  in  danger? 
By  the  same  reasoning,  what  security  pro¬ 
fessional  would  knowingly  put  the  security  of 
his  network  at  risk?  Chances  are  the  CEO 
would  never  bring  it  up  again.  The  first  deci¬ 
sion  was  made:  Ignore  the  password  order. 

Next  came  the  decision  on  the  SAS  70. 
This  was  a  different  matter  altogether.  I 
wasn’t  exactly  putting  the  security  of  the  com¬ 
pany  at  risk  by  not  doing  the  audit,  but  it  was 
clearly  important.  My  first  option:  Order  the 
SAS  70  on  my  own.  I  couldn’t  do  this  for  two 
reasons.  One:  If  the  CEO  ever  found  out,  then 
he  actually  would  have  a  good  reason  to  fire 
me.  Two:  Because  of  the  price  tag,  I  would 
never  be  able  to  get  it  by  the  purchasing 
department  without  his  permission. 

Under  the  option  column  I  wrote,  “Go 
back  to  the  CEO  at  a  later  time  and  hope 


that  he  is  in  a  more  receptive  mood.”  I  con¬ 
sidered  that  option  for  about  as  long  as  it 
took  to  think  it  up.  Was  I  taking  dumb  pills? 
Given  his  previous  psychotic  behavior,  I 
knew  that  day  would  never  come. 

Next  I  scribbled,  “Go  around  the  CEO  to 
the  board  of  directors.”  The  pros  were  obvi¬ 
ous.  Surely  those  people  would  sympathize 
with  me.  After  all,  hadn’t  the  recent  corporate 
scandals  shown  that  there  should  be  better 
governance  and  corporate  control?  The  cons, 
however,  were  significant.  I  might  get  the 
board  to  order  the  SAS  70,  but  it  would  be  a 
public  rebuke  of  the  CEO’s  leadership  in  his 
presence  and  would  reflect  poorly  on  me.  I 
don’t  think  the  CEO,  my  boss,  would  easily 
forget  that  episode.  I  quickly  ruled  out  that 
option. 

The  last  option  was  to  simply  wait  and 
do  nothing.  If  a  SAS  70  was  truly  important, 
then  let  the  regulators  come  in  and  demand 
it.  Or,  if  it  was  really  important  to  our  clients, 
then  let  them  require  that  we  do  the  audit 
to  keep  their  business.  Apparently,  those 
were  really  the  only  things  that  would  get 
the  CEO’s  attention.  I  was  convinced  that 
nothing  I  said  would  change  his  mind.  I  cir¬ 
cled  the  last  option  with  an  air  of  false 
bravado. 

That’s  where  I  am  currently.  I’m  waiting 
for  the  proverbial  shoe  of  fate  to  drop— or, 
perhaps  more  appropriately,  to  give  me  the 
boot.  But,  I  figure,  how  is  this  any  different 
from  all  of  the  other  job-security  risks  a  CSO 
faces?  Couldn’t  a  hacker  break  in  tonight  and 
ransack  our  network?  That  might  earn  me  a 
trip  to  the  unemployment  line.  Or  what 
about  the  ever-present  risk  of  a  cable-seeking 
backhoe  severing  a  major  data  link  and  caus¬ 
ing  us  to  lose  millions  of  dollars  in  a  single 
day  of  trading?  I  knew  a  CISO  at  a  major 
investment  bank  who  had  been  fired  for  that 
unfortunate  happenstance. 

No,  I  figure  it’s  best  to  be  philosophical 
about  these  kinds  of  professional  risks.  You 
should  do  the  best  you  can  so  that  you  can 
sleep  well  at  night. 

And  you  should  always  keep  your  contacts 
with  the  headhunters  up-to-date  and  your 
relations  with  them  on  the  best  of  terms.  B 

This  column  is  written  anonymously  by  a  real  CSO.  Send 
your  comments  via  e-mail  to  csoundercoverwxo.com. 


“We  have  you  to  do  our  security!”  the 
CEO  shouted.  “Are  you  telling  me  you’re  not 
doing  your  job?”  He  was  turning  crimson. 


February  2005  www.csoonline.com  57 


What  Keeps  the  CSO  Up  At  Night? 

Connecting  security  solutions  to  business  realities  is  central  to  the  CSO  role.  They  must 
understand  what  risk  means  to  their  company  and  how  to  balance  that  risk  with  business 
opportunity  After  all  the  CSO  is  responsible  for  all  aspects  for  the  company’s  security  but  is 
also  a  business  executive  with  an  eye  on  the  bottom  line. 


CEO:  wants  the  company’s  employees,  assets  and  information 
protected  without  compromising  the  ability  and  agility  to  capitalize 
on  business  opportunities 


CSO:  connecting  all  aspects  of  physical  and  information  security 
with  business  realities,  partnering  with  executive  peers  and 
communicating  risks  and  solutions  throughout  the  company 


IIII81 


CSO 

The  Resource  for 
Security  Executives 


CSO  is  the  preferred  resource  catering  to  the 

expanding  information  needs  of  today’s  strategic 
security  executives.  CSO  provides  CSOs  with  the 
resources  they  need  to  make  their  companies  secure 
and  competitive  in  today’s  ever  changing  business 
environment. 

CSO  readers  are  responsible  for: 


Source:  CSO  Magazine  Security  Sensor™,  December  2004 
CSO  IS  A  PRODUCT  LINE  OF  CXO  MEDIA  INC..  AN  IDG  COMPANY 


IT  Security 

70% 

Compliance  and  Business  Conduct 

42% 

- - 

Traditional  Security  (physical  security. 

32% 

facilities  security  and  investigations) 

Technologies,  Tools 
and  Tactics 


Unencumbered 
and  Insecure 

You  can  wirelessly  sync  your  cell  phone  with 
your  laptop.  You  can  use  the  cell  phone’s  built-in 
modem  to  put  your  laptop  on  the  Internet.  With 
speed.  Without  cables.  But  be  aware,  even  with 
security  built  in  from  the  get-go,  Bluetooth  has 
problems.  By  Simson  Garfinkel 

F  THE  WIRELESS  revolution  has  taught  us  anything,  perhaps 
the  single  most  important  lesson  is  that  people  who  design  radio  sys¬ 
tems  are  notoriously  bad  at  designing  systems  that  are  secure. 

Remember  analog  cell  phones  back  in  the  1980s  and  ’90s?  Those 
phones  transmitted  their  mobile  serial  numbers  (MSNs)  without  the 
use  of  encryption  or  even  a  simple  challenge-response  system,  mak¬ 
ing  it  easy  for  bad  guys  to  clone  phones  and  run  up  literally  billions 
of  dollars  in  fraudulent  cell  phone  charges. 

We’ve  faced  different  but  equally  troubling  security  problems  with 
cordless  telephones,  Wi-Fi  wireless  networking  and  radio  frequency 
identification  (RFID)  systems,  of  course.  But  we’ve  also  seen  security 
problems  with  relatively  simple  wireless  systems  like  garage  door 
openers  and  car  alarms.  In  fact,  I  can’t  think  of  a  single  wireless  com¬ 
munications  system  that  hasn’t  had  a  significant  security  problem. 
Even  worse,  the  problems  have  almost  always  been  predicted  in 
advance,  pooh-poohed  by  vendors  and  then  acknowledged  to  be  prob¬ 
lems  after  the  equipment  is  widely  deployed. 

The  very  nature  of  wireless  communications  systems  encourages 
sloppy  security  thinking  on  the  part  of  wireless  designers.  After  all, 


when  a  new  wireless  system  is  under  development  and  not  being  sold 
to  the  general  public,  the  bad  guys— by  definition— don’t  have  the 
wireless  system  either.  As  a  result,  designers  are  lulled  into  thinking  that 
many  possible  attacks  would  be  hard,  if  not  impossible,  for  a  typical  bad 
guy  to  perpetrate.  After  all,  it’s  hard  to  build  a  new  wireless  system. 

But  once  a  system  is  built  and  deployed,  the  bad  guys  can  examine 
it.  They  can  also  purchase  one  radio  and  use  it  to  attack  a  second.  Of 
course,  the  more  radios  that  are  deployed,  the  more  valuable  the 
attack.  Perversely,  the  more  radios  that  are  deployed,  the  bigger  the 
incentive  for  the  manufacturer  to  cover  up  or  minimize  the  impact  of 
the  vulnerability— after  all,  vulnerabilities  are  potential  liabilities. 

All  of  this,  of  course,  brings  us  to  the  subject  of  Bluetooth,  the 
two-way  wireless  communications  system  designed  to  create  “personal 
area  networks”  between  your  cell  phone,  your  cell  phone’s  wireless 
headset,  your  laptop,  PDA  and  whatever  other  devices  you’re  packing. 


ILLUSTRATION  BY  JOHN  WEBER 


February  2005  www.csoonline.com  59 


Authenticity 

Matters 


Bluetooth  uses  the  same  part  of  the 
radio  spectrum  as  Wi-Fi  wireless  LANs. 
But  whereas  Wi-Fi  uses  a  technique 
known  as  “direct  sequence”  to  encode 
information,  Bluetooth  uses  a  different 
spread  spectrum  technique  known  as 
“frequency  hopping.”  The  Bluetooth 
transmitter  hops  1,600  times  every  sec¬ 
ond  to  a  different  frequency  inside  unli¬ 
censed  2.4GHz  radio  band.  Bluetooth 
and  Wi-Fi  are  not  compatible:  If  a  Wi-Fi 
system  is  transmitting  a  packet  when 
Bluetooth  steps  through,  that  packet  is 
lost.  For  this  reason,  some  businesses 
have  banned  the  use  of  Bluetooth  on  their 
property  for  fear  of  interference  with 
their  wireless  networks.  In  practice, 
though,  it’s  very  hard  to  ban  something 
that’s  running  in  a  cell  phone  unless  you 
physically  search  everybody  entering  your 
property  and  confiscate  the  phones  of 
visitors.  I’ve  worked  at  places  where  such 
precautions  are  taken,  but  for  most  busi¬ 
nesses  this  is  probably  a  losing  battle. 

Unlike  Wi-Fi,  Bluetooth  was  designed 
for  extremely  short-range  communica¬ 
tions.  Class  1  Bluetooth  devices  have  a 
maximum  power  output  of  lOOmW  and  a 
theoretical  range  of 300  feet  in  free  space. 
Class  2  devices  have  a  maximum  power  of 
2.5mW  and  a  corresponding  range  of  30 
feet.  Class  3  devices  have  a  power  of  lmW 
and  a  range  of  3  feet  or  less.  Naturally, 
Bluetooth  headsets  tend  to  be  Class  3 
devices:  Using  less  power,  they  can  have 
correspondingly  longer  battery  life. 


Although  it  was  slow  to  catch  on  at  first, 
Bluetooth  is  becoming  increasingly  popu¬ 
lar.  It’s  built  into  many  PalmOne  Tungsten 
PDAs,  available  on  all  Macintosh  laptops, 
many  ThinkPads  and  an  increasing  num¬ 
ber  of  cell  phones— especially  GSM  cell 
phones  sold  in  Europe.  With  Bluetooth, 
you  can  wirelessly  sync  your  cell  phone 
with  your  laptop,  or  use  the  cell  phone’s 


built-in  modem  to  put  your  laptop  on  the 
Internet.  Wireless  means  no  cables  to  buy, 
tangle  or  lose.  It’s  also  faster  to  sync  over 
Bluetooth  than  over  a  serial  or  USB  cable. 
Bluetooth  is  just  cool. 

But  Bluetooth  has  many  security  prob¬ 
lems— with  more  still  being  discovered. 

To  be  fair,  Bluetooth’s  designers  did 
build  a  rudimentary  security  model  into 
the  system.  For  starters,  every  Bluetooth 
device  has  a  unique  serial  number  called 
a  BD_ADDR.  This  serial  number  is  set  by 
the  factory  when  the  device  is  manufac¬ 
tured.  Every  Bluetooth  device  also  has  a 
database  of  which  other  devices  it  trusts. 
When  it  first  turns  on,  every  Bluetooth 
device  is  supposed  to  trust  nothing.  But 
if  you  choose,  you  can  explicitly  “pair” 
two  devices  so  that  they  will  trust  each 
other.  Once  two  devices  are  paired,  they 
can  exchange  encryption  keys  and  use 
those  keys  to  scramble  all  information 
exchanged  between  the  two  of  them. 

The  first  problem  with  this  security 
model  is  the  BDADDR  itself:  Just  like 
an  Ethernet  media  access  control  (MAC) 
address,  it  can  be  changed.  As  a  result,  if 
an  attacker  is  able  to  observe  the  radio 
communications  between  two  devices, 
the  attacker  can  clone  one  of  those 
devices’  BD_ADDRs  and  fool  the  other. 

The  second  problem  is  the  encryption 
itself.  An  attacker  who  clones  a 
BD  ADDR  can’t  steal  a  prenegotiated 
encryption  key,  but  in  practice,  few  Blue¬ 
tooth  devices  actually  turn  encryption 


on.  There’s  also  some  concern  regarding 
the  Bluetooth  encryption  algorithm: 
Rather  than  using  an  industry-standard 
algorithm  like  RC4  or  AES,  the  Bluetooth 
designers  invented  their  own.  Although 
the  algorithm  hasn’t  been  cracked,  I  sus¬ 
pect  that  it’s  only  a  matter  of  time. 

The  third  problem  with  the  security 
model  is  that  there  are  many  functions 


Given  that  cybercrime  is  growing  faster  than 
kudzu  in  a  manure  patch,  it’s  ridiculous  that 
most  employees  still  log  on  to  their  corporate  net¬ 
works  using  a  single,  easy-to-guess  password. 

Options  abound  for  the  second  factor  in  two-factor 
authentication:  Smart  cards  to  swipe  into  a  keyboard 
reader.  Tokens  that  generate  onetime  access  codes 
every  minute  or  two.  Keychain  fobs  that  plug  into  a 
PC’s  USB  slot.  Biometric  scanners  for  fingerprints, 
voiceprints,  retinal  patterns  or  facial  geometry.  These 
products  are  becoming  more  common  as  their  cost 
declines  and,  particularly  in  the  case  of  biometrics, 
accuracy  rates  rise.  RSA  Security,  for  example,  claims 
15  million  users  for  its  SecurelD  tokens  and  fobs. 

But  a  few  entrepreneurs  have  come  up  with  alter¬ 
native  forms  of  strong  authentication,  ranging  from 
simple  to  very  complex. 

BioPassword  www.biopassword.com 
BioPassword’s  authentication  software  might  be 
described  as  quasi-biometric.  Upon  installing  the  soft¬ 
ware,  the  user  types  in  a  sample  phrase  three  times. 
BioPassword  captures  the  “rhythm”  of  the  user’s  typ¬ 
ing,  and  that  cadence  becomes  part  of  the  authentica¬ 
tion  process.  A  password  thief  can’t  log  in,  unless  he 
can  duplicate  the  user’s  unique  typing  style.  (Refer  to 
the  company’s  website  to  see  how  to  deal  with 
employees  breaking  a  finger  or  other  wrinkles.) 

Passfaces  www.realuser.com 
Facial  recognition  has  long  been  one  of  the  most 
problematic  biometric  access  methods:  computers 
simply  aren’t  very  good  at  identifying  human  faces. 
People,  on  the  other  hand,  are  very  good  at  it.  Pass- 
faces  seizes  on  this  concept  with  what  it  calls  "cogno- 
metric”  technology.  Each  user  memorizes  a  set  of 
three  to  seven  pictures  of  anonymous  faces  (selected 
from  a  library  of  options).  When  the  user  attempts  to 
log  in,  he  is  presented  a  grid  of  nine  faces,  only  one  of 
which  will  be  familiar.  Pick  the  right  face  and  he’s  in. 
Obvious  downside:  An  attacker  has  a  l-in-9  chance 
of  guessing  right.  Upside:  Faces  can’t  be  written  on 
Post-it  notes  and  stuck  on  monitors. 

Swivel  www.swiveltechnologies.com 
Swivel’s  technology  is  meant  to  protect  Internet 
transactions.  Take  the  setting  of  online  shopping  as 
an  example:  When  a  customer  establishes  an  account 
with  a  retailer,  the  retailer  issues  him  a  four-digit  PIN 


It’s  very  hard  to  ban  something  that’s 
running  in  a  cell  phone  unless  you  physically 
search  everybody  entering  yourproperty 
and  confiscate  the  phones  of  visitors. 


60  www.csoonline.com  February  2005 


0278030566: 


A 

-V,  ‘'.V, 


SR 


(typically  via  snail  mail).  But  to  reduce  the  chance  of 
electronic  interception,  that  PIN  is  not  entered  into 
the  PC  or  transmitted  to  the  server  as  part  of  the  log¬ 
in  process.  Instead,  when  the  customer  attempts  to 
log  in,  the  website  generates  a  onetime  string  of  10 
numbers,  and  the  user  applies  the  PIN  to  select  the 
numbers  in  the  correct  positions  in  that  string.  For 
example,  if  the  PIN  is  1234,  the  customer  would  select 
the  first,  second,  third  and  fourth  numbers  from  the 
10-digit  string. 

Pathword  www.cryptme.com/e 
Swiss  company  CryptMe’s  most  basic  authentication 
tool  is  a  unique  physical  card  issued  to  each  user, 
with  a  grid  of  random  letters  and  symbols.  It’s  partic¬ 
ularly  useful  in  cases  where  the  user  has  multiple 
passwords.  The  user  can  memorize  a  two-letter  code 
and  then  use  the  Pathword  card  to  apply  that  code  to 
generate  up  to  15  unique,  strong  (multiletter,  case- 
sensitive)  passwords.  Carrying  the  card  relieves  the 
user  of  having  to  memorize  those  passwords,  because 
they  can  be  reconstructed  with  the  two-letter  code 
anytime  the  user  wants  to  log  in. 

Si  Vault  Systems  www.sivault.com 
Hewlett-Packard  www.hp.com 
Hewlett-Packard  has,  for  years,  offered  a  Digital  Pen 
product.  SiVault  is  an  HP  channel  partner  in  the  health¬ 
care,  financial  and  retail  industries.  SiVault  recently 
announced  a  combination  of  the  pen  with  HP  biometric 
and  authentication  technologies  such  that  a  physician’s 
signature  can  be  compared  on  the  fly  with  stored  docu¬ 
ments  to  ensure  that  the  signer  is  the  real  McCoy. 

Digital  Authentication  Technologies 

www.dathq.com 

DAT’s  seven-factor  authentication  process  incorpo¬ 
rates  location  awareness,  physics  and  "dynamic 
entropy.”  The  company  does  not  claim  that  this  is 
transparent  to  the  end  user,  and  we  do  not  claim  to 
understand  how  it  works,  although  clearly  the  only 
people  who  can  log  in  are  authorized  users  using 
authorized  applications  on  authorized  machines  in 
authorized  locations.  At  any  rate  the  first  official 
product,  dubbed  Trilobite,  is  due  out  early  this  year. 

-Derek  Slater 


that  are  explicitly  allowed  between 
untrusted  devices.  One  of  the  most  com¬ 
mon  of  these  is  the  Bluetooth  function  of 
sending  and  receiving  business  cards. 
This  is  an  allowed  untrusted  operation 
because,  in  theory,  you  can  always  delete 
somebody’s  business  card.  But  an  attacker 
can  use  this  feature  to  fill  up  your  phone’s 
address  book  with  a  thousand  different 
cards.  Alternatively,  somebody  interested 
in  promoting  a  new  nightclub,  for  in¬ 
stance,  might  just  walk  around  town  with 
a  program  that  searches  out  Bluetooth 
phones  and  transmits  an  advertisement  to 
each  one  in  the  form  of  a  business  card. 
There’s  even  a  program  called  BlueSpam 
(download  it  from  www.mulliner.org) 
that  does  precisely  this:  It  runs  on  a  Palm- 
One  Tungsten. 

Bluetooth  promoters  were  quick  to 
defend  these  vulnerabilities,  arguing  that 
the  limited  range  of  the  Bluetooth  signal 
makes  the  system  more  secure  than  it 
might  otherwise  be.  If  somebody  is  close 
enough  to  you  that  you  can  send  him  a 
piece  of  spam,  you’re  close  enough  to  reach 
out  and  wring  his  neck,  the  theory  goes. 
Lots  of  hip  singles  in  Europe  keep  their 
Bluetooth  phones  enabled  all  the  time: 
Using  business  cards  to  flirt. 

There  are  two  problems  with  this  spa¬ 
tial  locality  argument.  First,  it  is  possible 
to  attack  somebody’s  Bluetooth  phone 
using  an  automated  hacking  tool  run¬ 
ning  on  a  PDA  that’s  hidden  in  your 
pocket.  Since  humans  can’t  see  radio 
waves,  it’s  impossible  to  tell  who  the 
attack  is  actually  coming  from.  The  sec¬ 
ond  problem  is  that  the  range  of  Blue¬ 
tooth  devices  I  quoted  above  assumes 
that  the  devices  are  equipped  with  a 
pretty  cheap  antenna  and  no  amplifier. 
Using  a  500mW  amplifier  and  a  19  deci¬ 
bel  antenna  mounted  on  the  stock  of  a 
sniper’s  rifle,  John  Hering,  a  student  in 
Los  Angeles,  created  the  “BlueSniper” 
Bluetooth  rifle.  This  weapon  can  lock  on 
to  an  ordinary  Bluetooth  device  at  the 
distance  of  a  mile. 

The  biggest  security  problem  with  Blue¬ 
tooth  today,  however,  has  nothing  to  do 
with  the  underlying  security  model.  The 
big  problem  is  that  many  Bluetooth 
devices  have  the  same  sort  of  bugs  and 


security  vulnerabilities  as  those  that  have 
been  haunting  Microsoft  since  it  started 
shipping  Internet  Explorer  in  the  mid- 
1990s:  Poor  programming  practices,  poor 
quality  assurance  and  a  lack  of  attention  to 
security  have  resulted  in  exploitable  buffer 
overflows  and  other  kinds  of  attacks. 

One  set  of  vulnerabilities  that  has  been 
discovered  allows  an  attacker  to  reach 
into  a  phone’s  address  book  and  retrieve 
or  modify  information.  Another  vulner¬ 
ability  leaves  the  database  of  trusted 
devices  open  to  attack.  To  be  fair,  some 
cell  phone  vendors  have  issued  “patches” 
to  fix  these  vulnerabilities.  In  practice,  of 
course,  many  phones  won’t  get  patched 
or  otherwise  upgraded.  You  can  find  an 
excellent  list  of  which  phones  are  vul¬ 
nerable  to  which  vulnerabilities  at  www 
.thebunker.net/security/bluetooth.htm. 

The  potential  dangers  of  these  vulner¬ 
abilities  are  vast.  A  Bluetooth  virus  could 
be  passed  from  phone-to-phone  by  peo¬ 
ple  passing  each  other  in  the  street.  After 
a  week,  the  virus  could  turn  ugly  and 
have  everybody’s  phone  dial  911.  In 
Europe,  a  phone  could  issue  a  so-called 
reverse  short  message  service  transaction 
and  actually  transfer  money  from  the 
phone  subscriber’s  bank  account  to  the 
attacker’s. 

There  are  also  privacy  issues  with 
Bluetooth  surrounding  the  BD  ADDR 
itself.  Because  the  number  usually  does¬ 
n’t  change,  an  attacker  with  a  lot  of  Blue¬ 
tooth  sensors  around  the  city  could  use  a 
BD_ADDR  to  track  people’s  movements. 
These  problems  are  very  similar  to  the 
privacy  issues  raised  by  RFID. 

I  like  Bluetooth  a  lot.  I  like  being  able 
to  sync  my  PDA  to  my  laptop  without 
having  to  take  out  a  cable.  I  like  being 
able  to  use  my  cell  phone  as  a  laptop  gate¬ 
way.  I  applaud  the  goal  of  universal  inter¬ 
connectivity.  But  Bluetooth  vendors  have 
got  to  take  security  issues  more  seriously, 
or  else  we’re  going  to  see  a  new  generation 
of  attacks  on  the  cellular  telephone  system 
that  will  make  the  worms  we’ve  lived  with 
on  the  Internet  look  like  child’s  play.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  can  be  reached  via  e-mail  at 
machineshop4cxo.com. 


ILLUSTRATION  BY  GETTYONE 


February  2005  www.csoonline.com  61 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Walter  Manninen  •  508  935-4101 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 

Regional  Sales  Director 

Kathy  Powers  •  201  634-2331 

Sales  Assistant 

Christine  Hopkins  •  508  988-7836 

Midwest 

Regional  Sales  Director 
Robert  E.  Sawdon  •  512  306-9801 

Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 

Senior  Regional  Sales  Manager 

Ai  Collins  •  415  975-2686 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director 

Michael  Siggins  •  508  988-6763 
Director  Mary  Gregory  •  508  988-6765 

Director  of  Content  Development 

Tom  Field 

Senior  Project  Manager 
Amy  Greenleaf 

Project  Manager  John  Danielowich 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 


Senior  Production  Coordinator 

Lisa  Stevenson 

Production  Coordinator 

Stephanie  Naughton 

Executive  Programs 

Senior  VP/Executive  Programs 

Jennifer  Richards 

Conference  Management  VP 
Cynthia  Mollus 

Marketing  Services  Director 
Shellie  Rapson  James 

Business  Development  Director 

John  Vulopas 

Program  Operations  Manager 

Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Senior  Client  Relations  Specialist 
Sandra  J.  Hughey 

Senior  Logistics  Coordinator 
Michael  Barbato 

Event  Planning  Director  Amy  Turell 

Senior  Customer  Service  Coordinator 

Sarah  Yee 

Marketing 

Executive  VP/CMO 

Cathy  O'Leary  Hayes 

VP/News  and  Information 

Susan  Watson 

Publicist  Lori  Piscatelli 

Marketing  Research  Director 

Bridget  Cammarata 

Marketing  Research  Manager 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 

Partnership/Sponsorship  Coordinator 
Lynn  Holmlund 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 

Subscription  Svcs.  Supervisor 

Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595  x319  or  e-mail 
keith@parsintl.com.  For  further  sales  infor¬ 
mation,  visit  www.csoonline.com/reprints/ 
index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208.  Periodicals  Postage  Paid  at 
Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2004  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone 
508  935-4785.  E-mail  aburreil@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center, 

27  Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  1540-904x.  Permission 
to  photocopy  does  not  extend  to  con¬ 
tributed  articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 
To  all  others  the  one-year  basic  rate  is  $70 
for  the  United  States  and  Canada,  $95  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9  to  the  U.S. 
and  Canada  and  $15  International.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of  Companies 
and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

Accenture  Ltd . 19 

America  Online  Inc . 19 

Barclays  Bank  Pic . 19 

BioPassword  LLC  . 59 

Boston  Scientific  Corp . 26 

Caesars  Entertainment  Inc . 19 

Carlson  Companies  Inc . 26 

Corporate  Privacy  Group  . 26 

CryptMe  . 59 

Digital  Authentication  Technologies  Inc.  .59 

E-Loan  Inc . 26 

Ernst  &  Young  LLP  . 26 

Fidelity  Investments  International  . 34 

GenuOne  Inc . 42 

Georgia  Power  Co . 34 

Hewlett-Packard  Co . 59 

IBM  Corp . 26 

iJet  Travel  Risk  Management  . 19 

Internet  Crimes  Group  Inc . 42 

Kimberly-Clark  Corp . 42 

MassMutual  Financial  Group  . 52 

National  Football  League  Inc . 19 

Nationwide  Mutual  Insurance  Co . 52 

Nestle  SA  . 34 

New  Perspectives  Consulting  Group  Inc.  .19 

PalmOne  Inc . 59 

Procter  &  Gamble  Co.,  The  . 26 

Real  User  Corp . 59 

Roche  Diagnostics  Corp . 42 

RSA  Security  Inc . 59 

Science  Applications  International  Corp.  .52 

Siemens  Business  Services  Inc . 19 

SiVault  Systems  Inc . 59 

Starbucks  Corp . 34 

Swivel  Technologies  Ltd . 59 

Tower  Group  Holding  Corp . 22 

Triton  Security  Solutions  Inc . 24 

Wachovia  Corp . 22 

Advertiser  Index 

Adobe  Systems  Inc . 2 

Authenex  Inc . 13 

CDW  Corp . 14 

CXO  Media  Inc . 50,  58,  63 

F5  Networks  . 5 

Information  Systems 

Audit  &  Control  Assoc . 25 

Internet  Security  Systems  . 10 

NetlQ  Corp . 33 

Nokia  Corp . 23 

Panasonic  . 45,  47,  49 

Patchlink  Corp . C4 

Robert  Half  International  . 16 

RSA  Security  Inc . 19 

Software  House  . 41 

Sophos  Pic . 7 

Symantec  Corp . C2 

Vanguard  Integrity  Professionals  . C3 

VeriSign  . 9 


62  www.csoonline.com  February  2005 


It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 


programs.  Let  us  enhance  your  reprints  with  your 
company’s  logo,  address,  and  sales  message. 
Reprints  make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will  look 
neat  on  your  wall,  it  will  look  even  better  in  the 
hands  of  your  customers. 


CSO 

The  Resource  for 
Security  Executives 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact  Keith 
Williams  at  212.221.9595  x  319  or  email  keith@parsintl.com. 


Sticky  Fingers  and  Radials 


Been  Caught  Stealin’ 


1.  According  to  the  University  of  Florida’s 
2003  National  Retail  Security  Survey,  what 
percentage  of  total  annual  sales  were  lost 
due  to  inventory  shrinkage? 

a.  0.008%  b.  0.51%  c.  1.65%  d.  8.1% 

2.  What  percentage  of  total  annual  sales 
were  devoted  to  loss  prevention  budgets? 

a.  0.008%  b.  0.51%  c.  1.65%  d.  8.1% 

3.  How  much  revenue  was  lost  to  inventory 
shrinkage  in  2003? 

a.  $2.4  billion  b.  $19.2  billion 
c.  $33.6  billion  d.  $55  billion 

4.  What  retail  sector  showed  the  highest  rate 
of  shrinkage,  at  5.2%? 

a.  Music/videos 

b.  Auto  parts/tires/accessories 

c.  Jewelry 

d.  Office  supplies/stationery 

5.  What  retail  sector  showed  the  lowest  rate 
of  shrinkage,  at  0.45%? 

a.  Music/videos 


b.  Auto  parts/tires/accessories 

c.  Jewelry 

d.  Office  supplies/stationery 

Match  the  type  of  loss  to  its  piece  of  the 
overall  inventory  shrinkage  pie. 


6.  Shoplifting  a.  15% 

7.  Administrative  error  b.  47% 

8.  Employee  theft  c.  6% 

9.  Vendor  fraud  d.  32% 


Match  these  celebrities  to  what  they 
allegedly  shoplifted. 

10.  Actress  Winona  Ryder 

11.  Actress  Hedy  Lamarr 

12.  Gymnast  Olga  Korbut 

13.  Tennis  star  Jennifer  Capriati 

14.  Movie  critic  Rex  Reed 

15.  Miss  America  Bess  Myerson 

16.  Muhammad  Ali's  daughter, 

Hana  Yasmeen  Ali 

a.  Greeting  cards  and  bikini  underwear  from 
May  Co.  Wilshire  department  store  ($86) 

b.  Designer  clothes  and  accessories  at  Saks 
Fifth  Avenue  in  Beverly  Hills  ($6,400) 


c.  Three  CDs  at  Tower  Records  in  New  York 
City  ($30;  charges  dropped) 

d.  Cheese,  chocolate  syrup,  figs,  Earl  Grey 
tea  and  seasoning  mix  from  an  Atlanta- 
area  Publix  grocery  ($19) 

e.  Marcasite  Ring  from  the  Tampa  Bay 
Center  ($35) 

f.  Bedding  from  a  Linens  'N  Things  in  subur¬ 
ban  Toledo  (Unspecified  amount,  but 
tampered  with  price  tag  on  a  $70  picture 
frame) 

g.  Nail  polish,  earrings,  shoes  and  flashlight 
batteries  from  a  department  store  in 
Pennsylvania  ($44) 

17.  According  to  the  2003  University  of 
Florida  survey,  which  of  the  following 
statements  is  not  true? 

a.  Companies  employ  fewer  than  one  loss 
prevention  employee  per  store,  or  half  as 
many  as  three  years  ago. 

b.  When  screening  employees,  companies 
are  three-and-a-half  times  as  likely  to  ver¬ 
ify  education  credentials  with  managers 
as  they  are  with  nonmanagers. 

c.  Losses  due  to  administrative  errors  have 
decreased  threefold  since  2001  because 
of  improved  technology. 

d.  Fewer  than  2  in  10  companies  reported 
the  use  of  the  asset  control  policy,  "elec¬ 
tronically  controlled  access  to  cash 
handling  areas.” 

Bonus  question:  According  to  an  essay 
called  "The  Art  of  Shoplifting”  by  Australian 
college  students,  what  should  you  do  if 
you’re  caught  shoplifting? 


,.d33M  N3H1  ONV 

nOA  330  SOIX  anOA  3XV1  HIM  [S30IAa3S  lVIOOS]  1VH1 
1AI3H1  3331  SdOO  3H1  33VO  01  ION  IAI3H1  03a  30N3I0S 
-noo  Ai3ino  v  imav  'iMva  'Aao  ‘asav  iavv\is  v  3a  ao 
Honoi  iov  i.noo  11  xooi  noA  os  ‘asoav  AiiNmaoddo 
3Hi  ivhi  avs  savm3v  'NouvnaaiAiaad  01  imav  a3A3N 
iino  H1331  anOA  3I3„  iNOIlSant)  S0N08  lOVXNiaHS 
33V  30  %si  iv  aov3is  aamviAiaa  3avh  saoaaa  3AllVai 
-siNiiAiav  oi  ana  sassoo-ovt  i'9i  o  si  oh  3  ei  azi 
vii  a  oi  o  s  a  s  vi  a'9  a  s  a’v  o  e  b  z  o  i  saa  aasn  v 


How’d 
You  Do? 


0-5  correct:  Honest  to  a  Fault 
6-15  correct:  Honest  to  a  Point 
16-18  correct:  Honest  to  God! 


64  www.csoonline.com  February  2005 


ILLUSTRATION  BY  ASAF  HANUKA 


Cross-Platform 


•  mV.;  H'VJ* 


Security  SolutionsMgm^ 

From  Vanguard 


In  large  organizations  with  thousands  of 
information  technology  (IT)  systems,  achieving 
security  is  a  daunting  task. 

At  Vanguard  we  believe  in  treating  the  entire 
enterprise  as  a  single  trusted  domain.  That’s  the 
power  of  Vanguard’s  Security-on-Demand™. 


Windows 


Extending  the 


M  S  m  S 

ur  entire  enterprise 


Users  Have  A  Single  Password 

Vanguard  ez/SignOn™  redirects 
authentication  to  the  z/Series 
Security  Server  (RACF). 


Users  are  guided  through  a  one-time 
self-registration  process  and  sign  on 
using  their  RACF  password. 


Easy  to  Reset  A 
Forgotten  Password 

Vanguard 
PasswordReset™ 
allows  users  to  safely 
and  securely  reset 
their  own  password. 


19th  Annual  Vanguard 

Enterprise  Security  Expo" 

&  RACF"  Users  Training  2005 


May  8-1 2,  2005 
Orlando,  FL 


The  19th  Annual  Vanguard  Enterprise  Security  Expo  is  the  ideal  training  opportunity 
to  ensure  that  your  organization  is  fully  prepared  to  address  today’s  most  complex 
security  issues.  More  than  ever  before,  it's  imperative  to  protect  your  organization's 
critical  infrastructure.  The  Vanguard  Enterprise  Security  Expo™  &  RACF®  Users' 
Training  provides  real-world,  practical  solutions  for  evaluating,  implementing,  and 
managing  the  protection  of  your  corporate  information  assets. 

Register  today:  www.go2vanguard.com/conference 


Vanguard’s  Security-on 


M 

G 

Vanguard  Vanguard  Vanguard 

Administrator  Advisor  Analyzer 


Demand  Solutions 


Vanguard  Vanguard  Vanguard 

Enforcer  SecurityCenter  ez/SignOn 


Vanguard  Vanguard  Vanguard 

ez/lntegrator  ez/AccessControl  ez/Token 


B 

f& 

Vanguard  Vanguard  Vanguard 

INCompliance  PasswordReset  Registration  Manager 


For  more  information,  visit  us  at  www.go2vanguard.com  or  call  702.794.0014  today! 

©2005  Vanguard  Integrity  Professionals  •  Nevada  /  MKT-580-04 


j/U  «*■» «»  ,  _ ;  „ . . 

„  «'«■  "ur  "Tit^  ^ Troia,u 

*/**  W0;^’rupt  operations 

Wearenegl a  J '  k  fff  tj/ne  and 

needed  pateheo^ 

/«!/•  of  unteoteo 


Is  your  network  sending  out  an 
open  invitation  to  be  breached? 


Inside  your  free  kit: 


■  Expert  analysis  ■  Real-world 

from  Yankee  Group  case  studies 

■  Instructive  ■  and  more 

white  paper 


Now  you  can  exchange  your  invitation  for  a  padlock.  Just 
request  your  FREE  "Automating  Patch  Management"  Kit  and 
discover  how  to  .  .  . 

■  Prevent  network  breaches  by  identifying  and  loading 
critical  patches  —  effortlessly. 

■  Eliminate  days  of  research  determining  which  patches 
are  essential  to  the  security  of  your  system  -  whether  it 
be  Windows,  Unix,  Linux  or  Macintosh  systems  and 
applications. 

■  Confidently  install  fully-tested  patches  to  avoid  conflicts 
or  system  damage  —  and  automatically  roll-back  to  a 
secure  system  when  and  if  the  need  arises. 

When  your  enterprise  network  is  vulnerable,  your  entire 
organization  is  vulnerable. 


Request  your  "Automating  Patch  Management"  Kit  now,  with  no  obligation, 
and  see  how  easily  you  can  stop  sending  out  this  dangerous  invitation. 


